PT-2026-33570 · Npm · Openclaw

Published

2026-04-07

·

Updated

2026-04-07

CVSS v3.1

3.7

Low

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary

Before OpenClaw 2026.4.2, several shared-secret comparison call sites still used early length-mismatch checks instead of the shared fixed-length comparison helper. Those paths could leak secret-length information through measurable timing differences.

Impact

The affected paths exposed a low-severity timing side channel on secret comparison. The issue did not by itself demonstrate auth bypass, but it weakened the intended constant-time handling for shared secrets.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: <= 2026.4.1
  • Patched versions: >= 2026.4.2
  • Latest published npm version: 2026.4.1

Fix Commit(s)

  • be10ecef770a4654519869c3641bbb91087c8c7b — reuse the shared secret comparison helper at affected call sites

Release Process Note

The fix is present on main and is staged for OpenClaw 2026.4.2. Publish this advisory after the 2026.4.2 npm release is live.
Thanks @kexinoh of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-208

Related Identifiers

GHSA-JJ6Q-RRRF-H66H

Affected Products

Openclaw