GHSA-v6x2-2qvm-6gv8: OpenClaw reuses the gateway auth token in the owner ID prompt hashing fallback
Summary
OpenClaw had a vulnerability where it reused the gateway authentication token (the secret credential for accessing the gateway) as a fallback method for hashing owner IDs in system prompts (the instructions given to AI models). This meant the same secret was doing double duty across two different security areas, and the hashed values could be seen by third-party AI providers, potentially exposing the authentication secret.
Solution / Mitigation
Update to version 2026.2.22 or later. The fix removes the fallback to gateway tokens and instead auto-generates and saves a dedicated, separate secret specifically for owner-display hashing when hash mode is enabled and no secret is set. This separates the authentication secret from the prompt metadata hashing secret.
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-v6x2-2qvm-6gv8
First tracked: March 3, 2026 at 07:00 PM
Classified by LLM (prompt v3) · confidence: 85%