CVE-2026-32897

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.22

Description The software reuses the gateway.auth.token as a fallback hash secret for owner-ID prompt obfuscation when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is unset. This creates a dual-use of authentication secrets across security domains. An attacker with access to system prompts sent to third-party model providers can derive the gateway authentication token from the hash outputs, potentially compromising gateway authentication security.

Recommendations Update to version 2026.2.22 or later.