GHSA-8372-7vhw-cm6q: OpenClaw config redaction bypass

Q: Is GHSA-8372-7vhw-cm6q actively exploited?

No confirmed active exploitation of GHSA-8372-7vhw-cm6q has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-8372-7vhw-cm6q?

1. Upgrade openclaw to version 2026.4.14 or later immediately. 2. Treat all credentials configured in affected openclaw instances as compromised: rotate provider API keys, gateway auth tokens, and channel credentials. 3. Audit config.get API access logs for queries returning sourceConfig or runtimeConfig fields prior to patching — any such response in the audit window should be treated as a confirmed credential leak. 4. Enforce least-privilege on gateway client permissions: config read access should be restricted to administrative roles only. 5. If immediate patching is not feasible, block config.get API access at the network layer for non-administrative clients as a temporary workaround.

Q: What systems are affected by GHSA-8372-7vhw-cm6q?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI agent gateways, LLM API integrations, multi-tenant AI platforms.

Q: What is the CVSS score for GHSA-8372-7vhw-cm6q?

No CVSS score has been assigned yet.

CISO Take

openclaw's config.get API fails to redact secrets stored under the sourceConfig and runtimeConfig alias fields, meaning any authenticated gateway client with config read access receives plaintext provider API keys, gateway auth tokens, and channel credentials in API responses. While exploitation requires prior authentication, config read is a common and low-privilege permission level — making this a realistic insider threat and post-breach lateral movement vector in AI agent gateway deployments. The same package has 135 historical CVEs and a documented malicious skills ecosystem (AIID #1368) that has already been used to exfiltrate credentials, signaling that openclaw environments are actively targeted. Upgrade to openclaw 2026.4.14 immediately and rotate all credentials configured in affected gateway instances before assuming exposure is limited.

Sources: GitHub Advisory ATLAS

What is the risk?

Medium-High. Exploitation requires authenticated access with config read permissions, narrowing the external attack surface, but this is a low-privilege and widely-granted capability in gateway deployments. The credential types exposed — LLM provider API keys, gateway auth material, channel credentials — carry disproportionate blast radius: a single leakage event can compromise all downstream AI provider integrations. The package's history of 135 CVEs suggests persistent security debt and adversary familiarity with its attack surface. No public exploit or active KEV listing, but the trivial post-auth exploitation path keeps this at elevated risk.

How does the attack unfold?

Authenticated Access

Attacker obtains a gateway client credential with config read permissions via insider access, phishing, or lateral movement from a prior compromise.

AML.T0012

Config Enumeration

Attacker queries the openclaw config.get API endpoint, receiving a response that includes sourceConfig and runtimeConfig alias fields containing unredacted secrets.

AML.T0084

Credential Harvesting

Provider API keys, gateway auth tokens, and channel credentials are extracted from the unredacted alias fields in the API response.

AML.T0083

Lateral Movement / Impact

Harvested LLM API keys are used for unauthorized inference at victim cost; gateway auth tokens enable impersonation of the gateway identity to access connected internal services and exfiltrate data.

AML.T0085

Authenticated Access

Attacker obtains a gateway client credential with config read permissions via insider access, phishing, or lateral movement from a prior compromise.

AML.T0012

Config Enumeration

Attacker queries the openclaw config.get API endpoint, receiving a response that includes sourceConfig and runtimeConfig alias fields containing unredacted secrets.

AML.T0084

Credential Harvesting

Provider API keys, gateway auth tokens, and channel credentials are extracted from the unredacted alias fields in the API response.

AML.T0083

Lateral Movement / Impact

Harvested LLM API keys are used for unauthorized inference at victim cost; gateway auth tokens enable impersonation of the gateway identity to access connected internal services and exfiltrate data.

AML.T0085

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	< 2026.4.14	`2026.4.14`
4 dependents 36% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

Upgrade openclaw to version 2026.4.14 or later immediately.
Treat all credentials configured in affected openclaw instances as compromised: rotate provider API keys, gateway auth tokens, and channel credentials.
Audit config.get API access logs for queries returning sourceConfig or runtimeConfig fields prior to patching — any such response in the audit window should be treated as a confirmed credential leak.
Enforce least-privilege on gateway client permissions: config read access should be restricted to administrative roles only.
If immediate patching is not feasible, block config.get API access at the network layer for non-administrative clients as a temporary workaround.

How is it classified?

Data Extraction Data Leakage Auth Bypass Agent API AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration AML.T0084 - Discover AI Agent Configuration AML.T0085 - Data from AI Services

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.3 - AI system documentation and configuration security

NIST AI RMF

GOVERN-6.2 - Policies and procedures are in place for AI risk management including cybersecurity

OWASP LLM Top 10

LLM06:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is GHSA-8372-7vhw-cm6q?

openclaw's config.get API fails to redact secrets stored under the sourceConfig and runtimeConfig alias fields, meaning any authenticated gateway client with config read access receives plaintext provider API keys, gateway auth tokens, and channel credentials in API responses. While exploitation requires prior authentication, config read is a common and low-privilege permission level — making this a realistic insider threat and post-breach lateral movement vector in AI agent gateway deployments. The same package has 135 historical CVEs and a documented malicious skills ecosystem (AIID #1368) that has already been used to exfiltrate credentials, signaling that openclaw environments are actively targeted. Upgrade to openclaw 2026.4.14 immediately and rotate all credentials configured in affected gateway instances before assuming exposure is limited.

Is GHSA-8372-7vhw-cm6q actively exploited?

No confirmed active exploitation of GHSA-8372-7vhw-cm6q has been reported, but organizations should still patch proactively.

How to fix GHSA-8372-7vhw-cm6q?

1. Upgrade openclaw to version 2026.4.14 or later immediately. 2. Treat all credentials configured in affected openclaw instances as compromised: rotate provider API keys, gateway auth tokens, and channel credentials. 3. Audit config.get API access logs for queries returning sourceConfig or runtimeConfig fields prior to patching — any such response in the audit window should be treated as a confirmed credential leak. 4. Enforce least-privilege on gateway client permissions: config read access should be restricted to administrative roles only. 5. If immediate patching is not feasible, block config.get API access at the network layer for non-administrative clients as a temporary workaround.

What systems are affected by GHSA-8372-7vhw-cm6q?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI agent gateways, LLM API integrations, multi-tenant AI platforms.

What is the CVSS score for GHSA-8372-7vhw-cm6q?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksAI agent gatewaysLLM API integrationsmulti-tenant AI platforms

MITRE ATLAS Techniques

AML.T0055 Unsecured Credentials

AML.T0083 Credentials from AI Agent Configuration

AML.T0084 Discover AI Agent Configuration

AML.T0085 Data from AI Services

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.9.3

NIST AI RMF: GOVERN-6.2

OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

## Summary config.get redaction bypass through sourceConfig and runtimeConfig aliases. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.14` - Patched versions: `>= 2026.4.14` ## Impact An authenticated gateway client with config read access could receive unredacted secrets through alias fields that survived redaction, including provider API keys, gateway auth material, and channel credentials. ## Technical Details The fix explicitly overwrites `sourceConfig` and `runtimeConfig` with the same redacted copies used for `resolved` and `config`, including the invalid-snapshot branch. Tests now cover both alias fields. ## Fix The issue was fixed in #66030. The first stable tag containing the fix is `v2026.4.14`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `86734ef93a2f25063371b04f1946eb300548acd4` - PR: #66030 ## Release Process Note Users should upgrade to `openclaw` 2026.4.14 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.

Exploitation Scenario

An attacker with a low-privilege authenticated gateway client credential — obtained via phishing an internal developer, exploiting a prior vulnerability, or insider access — issues a standard config.get API request to the openclaw gateway. The response includes sourceConfig and runtimeConfig alias objects containing unredacted secrets: OpenAI or Anthropic API keys, internal OAuth tokens, and Slack or webhook channel credentials. The attacker extracts these and uses the LLM API keys to run unauthorized inference at the victim's expense, pivots to internal services using gateway auth material, and uses channel credentials to exfiltrate data or send messages impersonating the gateway identity.

Weaknesses (CWE)

CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer Primary

CWE-212 — Improper Removal of Sensitive Information Before Storage or Transfer: The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.

[Requirements] Clearly specify which information should be regarded as private or sensitive, and require that the product offers functionality that allows the user to cleanse the sensitive information from the resource before it is published or exported to other parties.
[Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.