GHSA-2f7j-rp58-mr42
OpenClaw: Gateway hello snapshots exposed host config and state paths to non-admin clients
상세
## Summary
Before OpenClaw 2026.4.2, the Gateway `connect` success snapshot exposed local `configPath` and `stateDir` metadata to non-admin clients. Low-privilege authenticated clients could learn host filesystem layout and deployment details that were not needed for their role.
## Impact
A non-admin client could recover host-specific filesystem paths and related deployment metadata, aiding host fingerprinting and chained attacks. This was an information-disclosure issue, not a direct authorization bypass.
## Affected Packages / Versions
- Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1`
## Fix Commit(s)
- `676b748056b5efca6f1255708e9dd9469edf5e2e` — limit connect snapshot metadata to admin-scoped clients
## Release Process Note
The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live.
Thanks @topsec-bunney for reporting.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
참고
- https://github.com/openclaw/openclaw/security/advisories/GHSA-2f7j-rp58-mr42 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-41339 [ADVISORY]
- https://github.com/openclaw/openclaw/commit/676b748056b5efca6f1255708e9dd9469edf5e2e [WEB]
- https://github.com/openclaw/openclaw [PACKAGE]
- https://www.vulncheck.com/advisories/openclaw-information-disclosure-via-gateway-connect-snapshot [WEB]