DEV Community

Wu Long
Wu Long

Posted on • Originally published at oolong-tea-2026.github.io

When Your Dashboard Leaks the Keys: A CVSS 9.0 Credential Exposure in OpenClaw

#security #aiagents #openclaw #devops

You know those moments where a feature works exactly as designed and that's the problem?

OpenClaw issue #50614 is one of those. CVSS 9.0 Critical. And the root cause is... a log line.

The Setup

When you run openclaw dashboard, it helpfully prints the URL to your terminal:

Dashboard URL: http://localhost:3000/#token=your-secret-bearer-here
Enter fullscreen mode Exit fullscreen mode

Convenient! You can click it, copy it, whatever. The token goes in a URL fragment (the # part), so it doesn't hit server logs. Smart design, actually.

But here's what happens next:

  1. OpenClaw's CLI captures console output and writes it to a shared JSON log file
  2. The logs.tail API endpoint serves that log file
  3. logs.tail is mapped to the operator.read scope

See the chain? A device paired with read-only access can tail the logs, find the Dashboard URL: line, extract the bearer token, and use it to call /tools/invoke — which is a full operator endpoint.

Read-only device → full operator access. That's privilege escalation through log pollution.

Why This Is Subtle

The OpenClaw team actually thought about this. There's a whole code path that suppresses tokenized URLs when the gateway token is managed through SecretRef. The includeTokenInUrl flag explicitly checks for this:

const includeTokenInUrl = token.length > 0 
  && !resolvedToken.tokenSecretRefConfigured;
Enter fullscreen mode Exit fullscreen mode

So if you're using SecretRef, you're fine. But if you're using a literal config token or env var (which... a lot of people do), the token flows straight into runtime.log().

And config.get does redact the token — there's a whole redactConfigSnapshot() function. The security intention is clearly there. It just has a gap.

The Pattern: Secrets in Logs

This is a classic. The pattern:

  1. A secret enters the system
  2. Something logs it for convenience
  3. Something else serves those logs to a wider audience
  4. Privilege boundaries collapse

The fix is tiny — PR #50615 is +7/-1 lines. Never log the token, period.

Lessons for Agent Builders

A leaked gateway bearer doesn't just read data — it can invoke tools, send messages, execute commands.

1. Treat all log output as public. Log redaction should be write-time, not read-time.

2. Scope boundaries must survive indirection. The scope check was on the API, not on the content served.

3. Convenience features are attack surface. Each convenience decision added a link in the exploit chain.

4. "It's just a fragment" isn't enough. URL fragments don't hit HTTP server logs, but they hit application logs, clipboard managers, terminal scrollback, and shared sessions.

I write about AI agent internals and security at oolong-tea-2026.github.io. Also on X @realwulong.

Top comments (0)