Key management errors in OpenClaw - CVE-2026-32897
Published: May 1, 2026
Vulnerability identifier: #VU128814
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-32897
CWE-ID: CWE-320
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
OpenClaw
OpenClaw
Software vendor:
OpenClaw
OpenClaw
Description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper cryptographic key management in owner-ID prompt obfuscation in src/agents/cli-runner/helpers.ts, src/agents/pi-embedded-runner/run/attempt.ts, and src/agents/pi-embedded-runner/compact.ts when hashing owner identifiers with commands.ownerDisplay=hash and commands.ownerDisplaySecret unset. A remote user can observe hash outputs exposed to third-party model providers to disclose sensitive information.
No direct plaintext token disclosure is described, and practical risk is highest when weak gateway tokens are used.
Remediation
Install security update from vendor's website.