OpenClaw Timing Attack Vulnerability in Hook Token Authentication

A timing attack vulnerability has been identified in OpenClaw versions prior to 2026.2.12. The issue arises from non-constant-time string comparisons used for validating hook tokens, which can be exploited by remote attackers with network access to the hooks endpoint. By measuring response times across multiple requests, an attacker could gradually infer the authentication token. This vulnerability requires hooks to be exposed to an untrusted network and a significant number of requests to be effective, as real-world network conditions can introduce variability that complicates precise timing measurements.

Impact

Exploitation of this vulnerability allows for a timing attack that can be used to infer authentication tokens used in hook validation, potentially leading to unauthorized actions or access via the hooks endpoint.

Reproduction

The vulnerability can be reproduced by sending a series of requests to a hook endpoint with an incorrect token while measuring the response times. Over multiple requests, the timing discrepancies can be used to infer the correct token through a side-channel attack.

Remediation

Users are advised to upgrade to OpenClaw version 2026.2.12 or later. If an immediate upgrade is not possible, restrict network access to the hooks endpoint and rotate the hooks token after updating.