<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Redaction-Bypass - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/redaction-bypass/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 18 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/redaction-bypass/feed.xml" rel="self" type="application/rss+xml"/><item><title>OpenClaw Configuration Redaction Bypass Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-01-openclaw-redaction-bypass/</link><pubDate>Thu, 18 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-openclaw-redaction-bypass/</guid><description>A vulnerability in the openclaw npm package before version 2026.4.14 allows authenticated clients with config read access to receive unredacted secrets due to bypasses in `sourceConfig` and `runtimeConfig` alias fields.</description><content:encoded><![CDATA[<p>The <code>openclaw</code> npm package, versions prior to 2026.4.14, contains a vulnerability that could lead to the exposure of sensitive information. An authenticated gateway client with the ability to read configurations might receive unredacted secrets, such as provider API keys, gateway authentication material, and channel credentials. The vulnerability stems from alias fields (<code>sourceConfig</code> and <code>runtimeConfig</code>) that bypass the redaction process normally applied to configuration data. Successful exploitation would allow unauthorized access to sensitive resources and potentially compromise the security of systems relying on the <code>openclaw</code> package. This issue was reported by @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer, and has been patched in version 2026.4.14.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker authenticates as a gateway client with config read access.</li>
<li>The client requests configuration data from the <code>openclaw</code> package.</li>
<li>The vulnerable <code>openclaw</code> version processes the request.</li>
<li>The <code>config.get</code> function is called to retrieve configuration parameters.</li>
<li>Redaction is applied to the <code>resolved</code> and <code>config</code> fields.</li>
<li>However, the <code>sourceConfig</code> and <code>runtimeConfig</code> alias fields are not correctly redacted.</li>
<li>The client receives the configuration data, including the unredacted secrets present in the <code>sourceConfig</code> or <code>runtimeConfig</code> fields.</li>
<li>The attacker extracts sensitive information (API keys, credentials) from the unredacted data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability could lead to the exposure of sensitive credentials, including API keys, gateway authentication material, and channel credentials. An attacker could leverage these credentials to gain unauthorized access to internal systems and resources. The number of affected installations is unknown, but all deployments using <code>openclaw</code> versions prior to 2026.4.14 are vulnerable. The npm package ecosystem is broadly used, so the impact could be significant.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade the <code>openclaw</code> npm package to version 2026.4.14 or later to remediate the vulnerability as described in the advisory.</li>
<li>Monitor application logs for unusual access patterns to configuration data that may indicate exploitation attempts.</li>
<li>Implement strict access control policies to limit which clients can request configuration data, reducing the attack surface.</li>
<li>Consider using a secrets management solution to further protect sensitive credentials.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>npm</category><category>openclaw</category><category>vulnerability</category><category>redaction-bypass</category></item></channel></rss>