CVE-2026-41407

LOW 3.7

OpenClaw < 2026.4.2 - Timing Side Channel in Shared-Secret Comparison

CVSS Score

3.7

EPSS Score

0.0%

EPSS Percentile

0th

OpenClaw before 2026.4.2 contains a timing side channel vulnerability in shared-secret comparison call sites that use early length-mismatch checks instead of fixed-length comparison helpers. Attackers can measure timing differences to leak secret-length information, weakening constant-time handling for shared secrets.

CWE	CWE-208
Vendor	openclaw
Product	openclaw
Published	Apr 28, 2026

Stay Ahead of the Next One

Get instant alerts for openclaw openclaw

Be the first to know when new low vulnerabilities affecting openclaw openclaw are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Affected Versions

OpenClaw / OpenClaw

0 < 2026.4.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/openclaw/openclaw/security/advisories/GHSA-jj6q-rrrf-h66h github.com: https://github.com/openclaw/openclaw/commit/be10ecef770a4654519869c3641bbb91087c8c7b vulncheck.com: https://www.vulncheck.com/advisories/openclaw-timing-side-channel-in-shared-secret-comparison

Credits

🔍 KEXNA (@kexinoh)