Vulnerability Description
OpenClaw versions prior to 2026.2.22 reuse gateway.auth.token as a fallback hash secret for owner-ID prompt obfuscation when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is unset, creating dual-use of authentication secrets across security domains. Attackers with access to system prompts sent to third-party model providers can derive the gateway authentication token from the hash outputs, compromising gateway authentication security.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openclaw | Openclaw | < 2026.2.22 |
Related Weaknesses (CWE)
References
- https://github.com/openclaw/openclaw/commit/c99e7696e6893083b256f0a6c88fb060f3a7Patch
- https://github.com/openclaw/openclaw/security/advisories/GHSA-v6x2-2qvm-6gv8MitigationVendor Advisory
- https://www.vulncheck.com/advisories/openclaw-authentication-token-reuse-in-owneThird Party Advisory
FAQ
What is CVE-2026-32897?
CVE-2026-32897 is a vulnerability with a CVSS score of 3.7 (LOW). OpenClaw versions prior to 2026.2.22 reuse gateway.auth.token as a fallback hash secret for owner-ID prompt obfuscation when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is uns...
How severe is CVE-2026-32897?
CVE-2026-32897 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32897?
Check the references section above for vendor advisories and patch information. Affected products include: Openclaw Openclaw.