Wang Dong

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.4.2 **Description** Authenticated clients without administrative privileges can access `configPath` and `stateDir` metadata within Gateway connect success snapshots. This exposure allows non-admin clients to recover host-specific filesystem paths and deployment details, which can be used for host fingerprinting and to facilitate chained attacks. **Recommendations** Update to version 2026.4.2.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.31 **Description** An information disclosure issue exists in the Control Interface bootstrap JSON. This allows attackers to extract sensitive fingerprinting information, specifically version and assistant agent identifiers, from the Control UI bootstrap payload to identify system versions and agent configurations. **Recommendations** Update to version 2026.3.31.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.3.28 **Description** OpenClaw accepts unbounded concurrent unauthenticated WebSocket upgrades without pre-authentication budget allocation. This allows unauthenticated network attackers to exhaust socket and worker capacity, resulting in a denial of service that disrupts WebSocket availability for legitimate clients. **Recommendations** Update to version 2026.3.28.