GHSA-ppwq-6v66-5m6j
OpenClaw Exposes Credentials Embedded in baseUrl Fields via config.get and channels.status
상세
## Summary Read-scoped gateway snapshots could expose credentials embedded in channel baseUrl and related endpoint fields.
## Affected Packages / Versions - Package: `openclaw` (npm) - Affected: < 2026.3.22 - Fixed: >= 2026.3.22 - Latest released tag checked: `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`) - Latest published npm version checked: `2026.3.23-2`
## Fix Commit(s) - `f0202264d0de7ad345382b9008c5963bcefb01b7`
## Release Status The fix shipped in `v2026.3.22` and remains present in `v2026.3.23` and `v2026.3.23-2`.
## Code-Level Confirmation - src/channels/account-snapshot-fields.ts now strips URL userinfo from channel status snapshot fields. - src/config/redact-snapshot.ts now redacts credential-bearing baseUrl and httpUrl fields while preserving safe context.
OpenClaw thanks @zpbrent for reporting.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.