OpenClaw: Shared-secret comparison call sites leaked length information through timing
GHSA-jj6q-rrrf-h66h · CVE-2026-41407
Published · Modified
Description
Summary
Before OpenClaw 2026.4.2, several shared-secret comparison call sites still used early length-mismatch checks instead of the shared fixed-length comparison helper. Those paths could leak secret-length information through measurable timing differences.
Impact
The affected paths exposed a low-severity timing side channel on secret comparison. The issue did not by itself demonstrate auth bypass, but it weakened the intended constant-time handling for shared secrets.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.4.1 - Patched versions:
>= 2026.4.2 - Latest published npm version:
2026.4.1
Fix Commit(s)
be10ecef770a4654519869c3641bbb91087c8c7b— reuse the shared secret comparison helper at affected call sites
Release Process Note
The fix is present on main and is staged for OpenClaw 2026.4.2. Publish this advisory after the 2026.4.2 npm release is live.
Thanks @kexinoh of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.
References
- WEB https://github.com/openclaw/openclaw/security/advisories/GHSA-jj6q-rrrf-h66h
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-41407
- WEB https://github.com/openclaw/openclaw/commit/be10ecef770a4654519869c3641bbb91087c8c7b
- PACKAGE https://github.com/openclaw/openclaw
- WEB https://www.vulncheck.com/advisories/openclaw-timing-side-channel-in-shared-secret-comparison
Ready to move
Start Securing
Free, no credit card | First findings in minutes