GHSA-v6x2-2qvm-6gv8: OpenClaw reuses the gateway auth token in the owner ID prompt hashing fallback

March 3, 2026

Auth-secret dual-use across security domains (gateway auth and prompt metadata hashing).
Hash outputs are visible to third-party model providers in system prompts.
No direct plaintext token disclosure.
Practical risk is highest when operators use weak gateway tokens and leave owner hash secret unset.

References

github.com/advisories/GHSA-v6x2-2qvm-6gv8
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/c99e7696e6893083b256f0a6c88fb060f3a76fb7
github.com/openclaw/openclaw/security/advisories/GHSA-v6x2-2qvm-6gv8

Code Behaviors & Features

Detect and mitigate GHSA-v6x2-2qvm-6gv8 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →