OpenClaw Redaction Bypass Vulnerability in SourceConfig and RuntimeConfig Aliases
Vulnerability
A redaction bypass vulnerability has been identified in OpenClaw versions prior to 2026.4.14. This vulnerability allows authenticated gateway clients with config read access to receive unredacted secrets through the sourceConfig and runtimeConfig alias fields. Exploitation of this vulnerability could lead to the disclosure of provider API keys, gateway authentication material, and channel credentials that were supposed to be redacted.
Impact
Exploitation of this vulnerability could result in the unauthorized disclosure of sensitive information, including API keys, authentication materials, and channel credentials.
Reproduction
To reproduce this vulnerability, an authenticated gateway client with config read access can request the sourceConfig and runtimeConfig alias fields. These fields will contain unredacted secrets that should have been redacted, such as provider API keys and gateway authentication materials.
Remediation
Users are advised to upgrade to OpenClaw version 2026.4.14 or later. The latest npm release, 2026.4.14, includes the necessary fix.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.