GHSA-8372-7vhw-cm6q
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8372-7vhw-cm6q
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-8372-7vhw-cm6q/GHSA-8372-7vhw-cm6q.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-8372-7vhw-cm6q
- Aliases
-
- CVE-2026-43528
- Downstream
- Published
- 2026-04-17T21:47:15Z
- Modified
- 2026-05-05T11:56:39Z
- Severity
-
- 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- OpenClaw: config.get redaction bypass through sourceConfig and runtimeConfig aliases
- Details
-
Summary
config.get redaction bypass through sourceConfig and runtimeConfig aliases.
Affected Packages / Versions
- Package:
openclaw - Ecosystem: npm
- Affected versions:
< 2026.4.14 - Patched versions:
>= 2026.4.14
Impact
An authenticated gateway client with config read access could receive unredacted secrets through alias fields that survived redaction, including provider API keys, gateway auth material, and channel credentials.
Technical Details
The fix explicitly overwrites
sourceConfigandruntimeConfigwith the same redacted copies used forresolvedandconfig, including the invalid-snapshot branch. Tests now cover both alias fields.Fix
The issue was fixed in #66030. The first stable tag containing the fix is
v2026.4.14, andopenclaw@2026.4.14includes the fix.Fix Commit(s)
86734ef93a2f25063371b04f1946eb300548acd4- PR: #66030
Release Process Note
Users should upgrade to
openclaw2026.4.14 or newer. The latest npm release,2026.4.14, already includes the fix.Credits
Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.
- Package:
- Database specific
{ "github_reviewed_at": "2026-04-17T21:47:15Z", "nvd_published_at": null, "cwe_ids": [ "CWE-212" ], "severity": "HIGH", "github_reviewed": true }- References
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw