Description
OpenClaw before 2026.4.14 contains a redaction bypass vulnerability that allows authenticated gateway clients to receive unredacted secrets through sourceConfig and runtimeConfig alias fields. Attackers with config read access can exploit this to obtain provider API keys, gateway authentication material, and channel credentials that should have been redacted.
Published: 2026-05-05
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenClaw before 2026.4.14 contains a redaction bypass that enables authenticated gateway clients to retrieve secrets that should have been hidden. The flaw sits in the handling of sourceConfig and runtimeConfig alias fields, permitting an attacker with sufficient read permissions to read provider API keys, gateway authentication credentials, and channel secrets. The result is a confidentiality violation exposing highly sensitive material to compromised users.

Affected Systems

The affected product is OpenClaw, and all releases older than 2026.4.14 are vulnerable. The fix was applied in the 2026.4.14 release, as indicated by the referenced commit and advisory. This version change is required to eliminate the inability to obtain non‑redacted information through the alias fields.

Risk and Exploitability

The vulnerability scores a CVSS of 7.1, indicating high severity. The EPSS score is not available, and it is not listed in the CISA KEV catalog. Exploitation requires the attacker to have authenticated access with configuration read rights, which is a permission commonly granted to gateway users. Because of the confidentiality impact and the typical scope of these permissions, the risk is significant for organizations that rely on OpenClaw for secure handling of gateway secrets.

Generated by OpenCVE AI on May 5, 2026 at 12:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.4.14 or later to apply the vendor fix
  • Restrict configuration read permissions to only trusted administrators to limit exposure
  • Audit existing configuration files to ensure no alias fields expose secrets
  • Implement monitoring of secret access events to detect potential misuse

Generated by OpenCVE AI on May 5, 2026 at 12:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8372-7vhw-cm6q OpenClaw: config.get redaction bypass through sourceConfig and runtimeConfig aliases
History

Tue, 05 May 2026 11:45:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.4.14 contains a redaction bypass vulnerability that allows authenticated gateway clients to receive unredacted secrets through sourceConfig and runtimeConfig alias fields. Attackers with config read access can exploit this to obtain provider API keys, gateway authentication material, and channel credentials that should have been redacted.
Title OpenClaw < 2026.4.14 - Redaction Bypass via sourceConfig and runtimeConfig Aliases
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-212
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-05T11:24:59.369Z

Reserved: 2026-05-01T16:56:19.947Z

Link: CVE-2026-43528

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T12:16:18.917

Modified: 2026-05-05T12:16:18.917

Link: CVE-2026-43528

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T13:00:07Z

Weaknesses