CVE-2026-43528

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

6.5 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N                                    

Vulnerability Description

OpenClaw before 2026.4.14 contains a redaction bypass vulnerability that allows authenticated gateway clients to receive unredacted secrets through sourceConfig and runtimeConfig alias fields. Attackers with config read access can exploit this to obtain provider API keys, gateway authentication material, and channel credentials that should have been redacted.

Vulnerability Details

Published Date

May 05, 2026

Last Modified

May 07, 2026

CWE ID

CWE-212

Source

NVD

Vendor

OpenClaw

Product

OpenClaw

External References

https://github.com/openclaw/openclaw/commit/86734ef93a2f25063371b04f1946eb300548acd4
https://github.com/openclaw/openclaw/security/advisories/GHSA-8372-7vhw-cm6q
https://www.vulncheck.com/advisories/openclaw-redaction-bypass-via-sourceconfig-and-runtimeconfig-aliases

CVE-2026-43528

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment