Improper Removal of Sensitive Information Before Storage or Transfer in openclaw

Q: How to fix?

Upgrade openclaw to version 2026.4.14-beta.1 or higher.

Introduced: 17 Apr 2026

How to fix?

Upgrade openclaw to version 2026.4.14-beta.1 or higher.

Overview

openclaw is a 🦞 OpenClaw — Personal AI Assistant

Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer in the sourceConfig and runtimeConfig alias fields, which were not properly redacted. An attacker can obtain sensitive secrets, such as provider API keys, gateway authentication material, and channel credentials, by accessing these unredacted alias fields.

Note: This is only exploitable if the attacker is an authenticated gateway client with configuration read access.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
Low
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Improper Removal of Sensitive Information Before Storage or Transfer Affecting openclaw package, versions <2026.4.14-beta.1

Severity

Do your applications use this vulnerable package?

Introduced: 17 Apr 2026

How to fix?

Overview

References

CVSS Base Scores

Snyk