OpenClaw Timing Attack Vulnerability in Hook Token Validation

A timing attack vulnerability has been identified in OpenClaw versions prior to 2026.2.13. The issue arises from the use of non-constant-time string comparison for validating hook tokens, which allows remote attackers to infer token values through careful timing measurements. This vulnerability can be exploited by sending multiple requests to the hooks endpoint, taking advantage of timing discrepancies to gradually recover the authentication token.

Impact

Exploitation of this vulnerability allows for a timing attack that can be used to infer authentication tokens, potentially leading to unauthorized actions or access.

Reproduction

The vulnerability can be reproduced by sending a series of requests to the hooks endpoint while measuring the response times. The non-constant-time comparison can be exploited to infer the correct hook token by analyzing the timing variations across the requests.

Remediation

Users are advised to upgrade to OpenClaw version 2026.2.13 or later. If an immediate upgrade is not possible, restrict network access to the hooks endpoint and rotate the hooks token after updating.