PT-2026-33570 · Npm · Openclaw

Publicado

2026-04-07

·

Atualizado

2026-04-07

CVSS v3.1

3.7

Baixa

VetorAV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary

Before OpenClaw 2026.4.2, several shared-secret comparison call sites still used early length-mismatch checks instead of the shared fixed-length comparison helper. Those paths could leak secret-length information through measurable timing differences.

Impact

The affected paths exposed a low-severity timing side channel on secret comparison. The issue did not by itself demonstrate auth bypass, but it weakened the intended constant-time handling for shared secrets.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: <= 2026.4.1
  • Patched versions: >= 2026.4.2
  • Latest published npm version: 2026.4.1

Fix Commit(s)

  • be10ecef770a4654519869c3641bbb91087c8c7b — reuse the shared secret comparison helper at affected call sites

Release Process Note

The fix is present on main and is staged for OpenClaw 2026.4.2. Publish this advisory after the 2026.4.2 npm release is live.
Thanks @kexinoh of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-208

Identificadores relacionados

GHSA-JJ6Q-RRRF-H66H

Produtos afetados

Openclaw