← Retour aux CVEs

CVE-2026-35644

MEDIUM

6.5

Description

OpenClaw before 2026.3.22 contains an information disclosure vulnerability that allows attackers with operator.read scope to expose credentials embedded in channel baseUrl and httpUrl fields. Attackers can access gateway snapshots via config.get and channels.status endpoints to retrieve sensitive authentication information from URL userinfo components.

Details CVE

Score CVSS v3.16.5

SeveriteMEDIUM

Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Vecteur d'attaqueNETWORK

ComplexiteLOW

Privileges requisLOW

Interaction utilisateurNONE

Publie4/9/2026

Derniere modification4/9/2026

Sourcenvd

Observations honeypot0

Faiblesses (CWE)

CWE-312

References

https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87(disclosure@vulncheck.com)

https://github.com/openclaw/openclaw/commit/f0202264d0de7ad345382b9008c5963bcefb01b7(disclosure@vulncheck.com)

https://github.com/openclaw/openclaw/security/advisories/GHSA-ppwq-6v66-5m6j(disclosure@vulncheck.com)

https://www.vulncheck.com/advisories/openclaw-credential-exposure-via-baseurl-fields-in-gateway-snapshots(disclosure@vulncheck.com)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.