Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.1
OpenClaw exposes sensitive data in system prompts
GHSA-v6x2-2qvm-6gv8
Summary
OpenClaw, a software package, has a security issue that could allow sensitive data to be exposed in system prompts. This happens when a weak password is used for gateway authentication and the software is set to hide owner IDs. To fix this, the developers will update the software to use a new, separate secret for hiding owner IDs.
What to do
- Update openclaw to version 2026.2.22.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.21-2 | 2026.2.22 |
Original title
OpenClaw reuses the gateway auth token in the owner ID prompt hashing fallback
Original description
## Vulnerability
OpenClaw reused `gateway.auth.token` (and `gateway.remote.token`) as a fallback hash secret for owner-ID prompt obfuscation when `commands.ownerDisplay=hash` and `commands.ownerDisplaySecret` was unset.
This created secret dual-use between gateway authentication and prompt metadata hashing.
## Impact
- Auth-secret dual-use across security domains (gateway auth and prompt metadata hashing).
- Hash outputs are visible to third-party model providers in system prompts.
- No direct plaintext token disclosure.
- Practical risk is highest when operators use weak gateway tokens and leave owner hash secret unset.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest affected published version: `2026.2.21-2`
- Vulnerable range: `<= 2026.2.21-2`
- Patched version (planned next release): `2026.2.22`
## Affected Components
- `src/agents/cli-runner/helpers.ts`
- `src/agents/pi-embedded-runner/run/attempt.ts`
- `src/agents/pi-embedded-runner/compact.ts`
## Remediation
- Added a shared owner-display resolver and secret-generation helper.
- Removed fallback to `gateway.auth.token` and `gateway.remote.token`.
- Auto-generates and persists a dedicated `commands.ownerDisplaySecret` when hash mode is enabled and secret is missing.
## Fix Commit(s)
- c99e7696e6893083b256f0a6c88fb060f3a76fb7
## Release Process Note
`patched_versions` is pre-set to the planned next release (`2026.2.22`). Once npm release `2026.2.22` is published, this advisory only needs to be published.
OpenClaw thanks @aether-ai-agent for reporting.
OpenClaw reused `gateway.auth.token` (and `gateway.remote.token`) as a fallback hash secret for owner-ID prompt obfuscation when `commands.ownerDisplay=hash` and `commands.ownerDisplaySecret` was unset.
This created secret dual-use between gateway authentication and prompt metadata hashing.
## Impact
- Auth-secret dual-use across security domains (gateway auth and prompt metadata hashing).
- Hash outputs are visible to third-party model providers in system prompts.
- No direct plaintext token disclosure.
- Practical risk is highest when operators use weak gateway tokens and leave owner hash secret unset.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest affected published version: `2026.2.21-2`
- Vulnerable range: `<= 2026.2.21-2`
- Patched version (planned next release): `2026.2.22`
## Affected Components
- `src/agents/cli-runner/helpers.ts`
- `src/agents/pi-embedded-runner/run/attempt.ts`
- `src/agents/pi-embedded-runner/compact.ts`
## Remediation
- Added a shared owner-display resolver and secret-generation helper.
- Removed fallback to `gateway.auth.token` and `gateway.remote.token`.
- Auto-generates and persists a dedicated `commands.ownerDisplaySecret` when hash mode is enabled and secret is missing.
## Fix Commit(s)
- c99e7696e6893083b256f0a6c88fb060f3a76fb7
## Release Process Note
`patched_versions` is pre-set to the planned next release (`2026.2.22`). Once npm release `2026.2.22` is published, this advisory only needs to be published.
OpenClaw thanks @aether-ai-agent for reporting.
ghsa CVSS4.0
2.1
Vulnerability type
CWE-522
Insufficiently Protected Credentials
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026