Duplicate Advisory: OpenClaw: Gateway hello snapshots exposed host config and state paths to non-admin clients
Moderate severity
GitHub Reviewed
Published
Apr 24, 2026
to the GitHub Advisory Database
•
Updated May 4, 2026
Withdrawn
This advisory was withdrawn on May 4, 2026
Description
Published by the National Vulnerability Database
Apr 23, 2026
Published to the GitHub Advisory Database
Apr 24, 2026
Reviewed
May 4, 2026
Withdrawn
May 4, 2026
Last updated
May 4, 2026
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-2f7j-rp58-mr42. This link is maintained to preserve external references.
Original Description
OpenClaw before 2026.4.2 exposes configPath and stateDir metadata in Gateway connect success snapshots to non-admin authenticated clients. Non-admin clients can recover host-specific filesystem paths and deployment details, enabling host fingerprinting and facilitating chained attacks.
References