OpenClaw Nostr Private Key Exposure Vulnerability
Vulnerability
A vulnerability in OpenClaw versions prior to 2026.3.31 allows Nostr private keys to be stored in plaintext within the configuration. This exposure can occur through 'config.get' method calls that bypass intended redaction. As a result, attackers may access unredacted configuration data and retrieve plaintext signing keys used in Nostr protocol operations.
Impact
Exposing Nostr private keys in plaintext can lead to unauthorized access and misuse of Nostr accounts, as these keys are used for signing actions within the protocol.
Reproduction
To reproduce this vulnerability, use OpenClaw versions prior to 2026.3.31. Configure a Nostr private key in the application's settings. Then, call the 'config.get' method to retrieve the configuration data. The private key will be exposed in plaintext, as the redaction mechanism does not properly conceal it.
Remediation
Users can update to OpenClaw version 2026.3.31 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.