DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-JMM5-FVH5-GF4P: GHSA-JMM5-FVH5-GF4P: Timing Side-Channel in OpenClaw Authentication

#security #cve #cybersecurity #ghsa

GHSA-JMM5-FVH5-GF4P: Timing Side-Channel in OpenClaw Authentication

Vulnerability ID: GHSA-JMM5-FVH5-GF4P
CVSS Score: 5.9
Published: 2026-03-02

OpenClaw versions prior to 2026.2.12 contain a timing side-channel vulnerability in the webhook and device token authentication mechanisms. The application utilized standard string comparison logic for validating security tokens, allowing remote attackers to infer the correct token characters by measuring microsecond differences in server response times. Successful exploitation permits unauthorized execution of AI agent hooks and illicit device pairing.

TL;DR

OpenClaw authentication tokens are vulnerable to timing attacks due to non-constant-time string comparison. Attackers can brute-force secrets by analyzing response latency.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-208
  • CVSS Score: 5.9 (Medium)
  • Attack Vector: Network (Remote)
  • Attack Complexity: High (Requires statistical analysis)
  • Fix Commit: 113ebfd6a23c4beb8a575d48f7482593254506ec
  • Impact: Credential Access

Affected Systems

  • OpenClaw AI Assistant Platform
  • OpenClaw: < 2026.2.12 (Fixed in: 2026.2.12)

Code Analysis

Commit: 113ebfd

fix: prevent timing attacks on hook authentication and device pairing

Mitigation Strategies

  • Upgrade to OpenClaw version 2026.2.12 or later immediately.
  • Implement upstream rate limiting (e.g., via Nginx, AWS WAF, or Cloudflare) to drop excessive 401 responses before they reach the application.
  • Rotate all webhook and device tokens that may have been exposed prior to the patch.

Remediation Steps:

  1. Pull the latest Docker image or update the npm package: npm update openclaw.
  2. Verify the installed version is >= 2026.2.12.
  3. Regenerate hooksConfig.token in the configuration file.
  4. Restart the OpenClaw service to apply changes.

References

Read the full report for GHSA-JMM5-FVH5-GF4P on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)