PT-2026-35608 — Npm Openclaw

PT-2026-35608 · Npm · Openclaw

Publicado

2026-04-17

Atualizado

2026-04-17

CVSS v4.0

7.1

Alta

Vetor

AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Summary

config.get redaction bypass through sourceConfig and runtimeConfig aliases.

Affected Packages / Versions

Package: openclaw
Ecosystem: npm
Affected versions: < 2026.4.14
Patched versions: >= 2026.4.14

Impact

An authenticated gateway client with config read access could receive unredacted secrets through alias fields that survived redaction, including provider API keys, gateway auth material, and channel credentials.

Technical Details

The fix explicitly overwrites sourceConfig and runtimeConfig with the same redacted copies used for resolved and config, including the invalid-snapshot branch. Tests now cover both alias fields.

Fix

The issue was fixed in #66030. The first stable tag containing the fix is v2026.4.14, and openclaw@2026.4.14 includes the fix.

Fix Commit(s)

86734ef93a2f25063371b04f1946eb300548acd4
PR: #66030

Release Process Note

Users should upgrade to openclaw 2026.4.14 or newer. The latest npm release, 2026.4.14, already includes the fix.

Credits

Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-212

Identificadores relacionados

GHSA-8372-7VHW-CM6Q

Produtos afetados

Openclaw