VDB
KO
MEDIUM

GHSA-ppwq-6v66-5m6j

OpenClaw Exposes Credentials Embedded in baseUrl Fields via config.get and channels.status

Details

## Summary Read-scoped gateway snapshots could expose credentials embedded in channel baseUrl and related endpoint fields.

## Affected Packages / Versions - Package: `openclaw` (npm) - Affected: < 2026.3.22 - Fixed: >= 2026.3.22 - Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`) - Latest published npm version checked: `2026.3.23-2`

## Fix Commit(s) - `f0202264d0de7ad345382b9008c5963bcefb01b7`

## Release Status The fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.

## Code-Level Confirmation - src/channels/account-snapshot-fields.ts now strips URL userinfo from channel status snapshot fields. - src/config/redact-snapshot.ts now redacts credential-bearing baseUrl and httpUrl fields while preserving safe context.

OpenClaw thanks @zpbrent for reporting.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / openclaw
Introduced in: 0 Fixed in: 2026.3.22
Fix npm install openclaw@2026.3.22

References