Can you explain this vulnerability to me?

This vulnerability exists in OpenClaw versions before 2026.3.22 and involves information disclosure. Attackers who have operator.read scope permissions can exploit this flaw to access sensitive credentials embedded within the channel baseUrl and httpUrl fields.

Specifically, attackers can retrieve gateway snapshots through the config.get and channels.status endpoints, which expose authentication information contained in the userinfo components of URLs.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

The vulnerability can lead to unauthorized disclosure of sensitive authentication credentials. This exposure could allow attackers to gain further unauthorized access or escalate privileges within the affected system.

Since the attacker needs operator.read scope, the impact depends on the level of access already granted, but the leakage of credentials can facilitate additional attacks or compromise other systems.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability in OpenClaw allows attackers with operator.read scope to access sensitive authentication information embedded in URLs. This exposure of credentials could lead to unauthorized access to protected data, potentially resulting in violations of data protection regulations such as GDPR and HIPAA, which require safeguarding sensitive information and preventing unauthorized disclosure.

Specifically, the information disclosure could compromise confidentiality requirements mandated by these standards, thereby affecting compliance.

Useful 0 Not Useful 0