OpenClaw exposes sensitive information through its control interface

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.9

OpenClaw exposes sensitive information through its control interface

GHSA-hr8g-2q7x-3f4w

Summary

A recent update to OpenClaw's control interface inadvertently exposed sensitive information, such as version numbers and agent IDs. This information disclosure is not a major security risk, but it could potentially be used for malicious activities. If you use OpenClaw, make sure to update to version 2026.3.31 or higher to fix the issue.

What to do

Update openclaw to version 2026.3.31.

Affected software

Vendor	Product	Affected versions	Fix available
–	openclaw	<= 2026.3.28	2026.3.31

Original title

OpenClaw Has a Gateway Control Interface Information Disclosure Vulnerability

Original description

## Summary
OpenClaw Gateway Control Interface Information Disclosure Vulnerability

## Current Maintainer Triage
- Status: narrow
- Normalized severity: low
- Assessment: Released Control UI bootstrap JSON did expose version and assistant agent id, but that is low-severity fingerprinting or info disclosure only; unreleased c5c10adc trims the payload.

## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version: `2026.3.31`
- Vulnerable version range: `<=2026.3.28`
- Patched versions: `>= 2026.3.31`
- First stable tag containing the fix: `v2026.3.31`

## Fix Commit(s)
- `c5c10adc022f42eb75ebb3bf364dd607738683b3` — 2026-03-30T15:08:19+01:00

OpenClaw thanks @topsec-bunney for reporting.

ghsa CVSS4.0 6.9

Vulnerability type

CWE-200 Information Exposure

Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026