{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/redaction-bypass/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["openclaw"],"_cs_severities":["high"],"_cs_tags":["npm","openclaw","vulnerability","redaction-bypass"],"_cs_type":"advisory","_cs_vendors":["openclaw"],"content_html":"\u003cp\u003eThe \u003ccode\u003eopenclaw\u003c/code\u003e npm package, versions prior to 2026.4.14, contains a vulnerability that could lead to the exposure of sensitive information. An authenticated gateway client with the ability to read configurations might receive unredacted secrets, such as provider API keys, gateway authentication material, and channel credentials. The vulnerability stems from alias fields (\u003ccode\u003esourceConfig\u003c/code\u003e and \u003ccode\u003eruntimeConfig\u003c/code\u003e) that bypass the redaction process normally applied to configuration data. Successful exploitation would allow unauthorized access to sensitive resources and potentially compromise the security of systems relying on the \u003ccode\u003eopenclaw\u003c/code\u003e package. This issue was reported by @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer, and has been patched in version 2026.4.14.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates as a gateway client with config read access.\u003c/li\u003e\n\u003cli\u003eThe client requests configuration data from the \u003ccode\u003eopenclaw\u003c/code\u003e package.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003eopenclaw\u003c/code\u003e version processes the request.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003econfig.get\u003c/code\u003e function is called to retrieve configuration parameters.\u003c/li\u003e\n\u003cli\u003eRedaction is applied to the \u003ccode\u003eresolved\u003c/code\u003e and \u003ccode\u003econfig\u003c/code\u003e fields.\u003c/li\u003e\n\u003cli\u003eHowever, the \u003ccode\u003esourceConfig\u003c/code\u003e and \u003ccode\u003eruntimeConfig\u003c/code\u003e alias fields are not correctly redacted.\u003c/li\u003e\n\u003cli\u003eThe client receives the configuration data, including the unredacted secrets present in the \u003ccode\u003esourceConfig\u003c/code\u003e or \u003ccode\u003eruntimeConfig\u003c/code\u003e fields.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts sensitive information (API keys, credentials) from the unredacted data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could lead to the exposure of sensitive credentials, including API keys, gateway authentication material, and channel credentials. An attacker could leverage these credentials to gain unauthorized access to internal systems and resources. The number of affected installations is unknown, but all deployments using \u003ccode\u003eopenclaw\u003c/code\u003e versions prior to 2026.4.14 are vulnerable. The npm package ecosystem is broadly used, so the impact could be significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003eopenclaw\u003c/code\u003e npm package to version 2026.4.14 or later to remediate the vulnerability as described in the advisory.\u003c/li\u003e\n\u003cli\u003eMonitor application logs for unusual access patterns to configuration data that may indicate exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies to limit which clients can request configuration data, reducing the attack surface.\u003c/li\u003e\n\u003cli\u003eConsider using a secrets management solution to further protect sensitive credentials.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-18T12:00:00Z","date_published":"2024-01-18T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-openclaw-redaction-bypass/","summary":"A vulnerability in the openclaw npm package before version 2026.4.14 allows authenticated clients with config read access to receive unredacted secrets due to bypasses in `sourceConfig` and `runtimeConfig` alias fields.","title":"OpenClaw Configuration Redaction Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-openclaw-redaction-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Redaction-Bypass","version":"https://jsonfeed.org/version/1.1"}