GHSA-jj6q-rrrf-h66h: OpenClaw: Shared-secret comparison call sites leaked length information through timing
mediumvulnerability
security
Source: GitHub Advisory DatabaseApril 7, 2026
Summary
OpenClaw versions before 2026.4.2 had a timing side channel (a security weakness where an attacker can learn secret information by measuring how long operations take) in shared-secret comparison code. The vulnerability could leak information about the length of secrets through measurable timing differences, though it didn't directly allow attackers to bypass authentication.
Solution / Mitigation
Update to OpenClaw version 2026.4.2 or later. The fix involved reusing the shared secret comparison helper at the affected call sites (commit be10ecef770a4654519869c3641bbb91087c8c7b).
Classification
Attack SophisticationModerate
Affected Packages
openclaw@<= 2026.4.1 (fixed: 2026.4.2)
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-jj6q-rrrf-h66h
First tracked: April 7, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 85%