OpenClaw < 2026.4.2 - Timing Side Channel in Shared-Secret Comparison | Advisories

Advisories

OpenClaw < 2026.4.2 - Timing Side Channel in Shared-Secret Comparison

severity: low
date: 4/28/2026
Affecting: OpenClaw < 2026.4.2
CVE: CVE-2026-41407
CWE: CWE-208 Observable Timing Discrepancy
CVSS: 6.3
CVSS V4 Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
References: GitHub Security Advisory (GHSA-jj6q-rrrf-h66h)
Patch Commit
Credit: KEXNA (@kexinoh)
Description: OpenClaw before 2026.4.2 contains a timing side channel vulnerability in shared-secret comparison call sites that use early length-mismatch checks instead of fixed-length comparison helpers. Attackers can measure timing differences to leak secret-length information, weakening constant-time handling for shared secrets.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo