PT-2026-33551 · Npm · Openclaw
Published
2026-04-07
·
Updated
2026-04-07
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Summary
Before OpenClaw 2026.4.2, the Gateway
connect success snapshot exposed local configPath and stateDir metadata to non-admin clients. Low-privilege authenticated clients could learn host filesystem layout and deployment details that were not needed for their role.Impact
A non-admin client could recover host-specific filesystem paths and related deployment metadata, aiding host fingerprinting and chained attacks. This was an information-disclosure issue, not a direct authorization bypass.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.4.1 - Patched versions:
>= 2026.4.2 - Latest published npm version:
2026.4.1
Fix Commit(s)
676b748056b5efca6f1255708e9dd9469edf5e2e— limit connect snapshot metadata to admin-scoped clients
Release Process Note
The fix is present on
main and is staged for OpenClaw 2026.4.2. Publish this advisory after the 2026.4.2 npm release is live.Thanks @topsec-bunney for reporting.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw