Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.3
OpenClaw versions before 2026.2.22 may reveal gateway login secrets
CVE-2026-32897
Summary
Older versions of OpenClaw share a secret key with user IDs, making login information accessible to attackers. This means that if an attacker sees a prompt sent to a third-party model provider, they might be able to figure out the login token, compromising the security of the login system. Update to version 2026.2.22 or later to fix this issue.
Original title
OpenClaw versions prior to 2026.2.22 reuse gateway.auth.token as a fallback hash secret for owner-ID prompt obfuscation when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is ...
Original description
OpenClaw versions prior to 2026.2.22 reuse gateway.auth.token as a fallback hash secret for owner-ID prompt obfuscation when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is unset, creating dual-use of authentication secrets across security domains. Attackers with access to system prompts sent to third-party model providers can derive the gateway authentication token from the hash outputs, compromising gateway authentication security.
nvd CVSS3.1
3.7
nvd CVSS4.0
6.3
Vulnerability type
CWE-320
Published: 21 Mar 2026 · Updated: 21 Mar 2026 · First seen: 21 Mar 2026