PT-2026-35608 · Npm · Openclaw

Published

2026-04-17

·

Updated

2026-04-17

CVSS v4.0

7.1

High

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Summary

config.get redaction bypass through sourceConfig and runtimeConfig aliases.

Affected Packages / Versions

  • Package: openclaw
  • Ecosystem: npm
  • Affected versions: < 2026.4.14
  • Patched versions: >= 2026.4.14

Impact

An authenticated gateway client with config read access could receive unredacted secrets through alias fields that survived redaction, including provider API keys, gateway auth material, and channel credentials.

Technical Details

The fix explicitly overwrites sourceConfig and runtimeConfig with the same redacted copies used for resolved and config, including the invalid-snapshot branch. Tests now cover both alias fields.

Fix

The issue was fixed in #66030. The first stable tag containing the fix is v2026.4.14, and openclaw@2026.4.14 includes the fix.

Fix Commit(s)

  • 86734ef93a2f25063371b04f1946eb300548acd4
  • PR: #66030

Release Process Note

Users should upgrade to openclaw 2026.4.14 or newer. The latest npm release, 2026.4.14, already includes the fix.

Credits

Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-212

Related Identifiers

GHSA-8372-7VHW-CM6Q

Affected Products

Openclaw