Platform
javascript
Component
openclaw
Fixed in
2026.2.22
CVE-2026-3691 is an Information Disclosure vulnerability affecting the OpenClaw Client version 2026.2.21. This flaw allows remote attackers to potentially disclose stored credentials by exploiting weaknesses in the OAuth authorization implementation. User interaction is required, necessitating the target to initiate an OAuth authorization flow. A patch is available to address this issue.
The primary impact of CVE-2026-3691 is the potential disclosure of stored credentials. An attacker can exploit this vulnerability by crafting a malicious OAuth authorization request that exposes sensitive information in the URL query string. Successful exploitation could lead to unauthorized access to user accounts and potentially further compromise of the system. This vulnerability highlights the importance of secure OAuth implementation and careful handling of sensitive data during authentication flows. The vulnerability was reported as ZDI-CAN-29381.
CVE-2026-3691 was publicly disclosed on 2026-04-11. The vulnerability's exploitation probability is currently assessed as medium, given the requirement for user interaction and the need for a crafted OAuth request. No public proof-of-concept (PoC) code has been released as of the disclosure date. The vulnerability has not yet been added to the CISA KEV catalog.
Exploit Status
EPSS
0.07% (21% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-3691 is to upgrade to a patched version of the OpenClaw Client. Until a patch is available, consider implementing stricter OAuth authorization policies to minimize the risk of exposure. This may involve carefully scrutinizing authorization requests and limiting the scope of permissions granted. Reviewing and hardening the OAuth implementation to prevent the leakage of sensitive information in the authorization URL is also crucial. After upgrade, confirm by verifying that the authorization flow no longer exposes sensitive data in the query string.
Update to the patched version to mitigate credential disclosure. The vulnerability is due to the exposure of sensitive data in the authorization URL query string. Verify and strengthen the OAuth implementation to avoid exposing confidential information in URLs.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3691 is a Medium severity vulnerability in OpenClaw Client version 2026.2.21 that allows attackers to disclose stored credentials through a flaw in the OAuth authorization process.
If you are using OpenClaw Client version 2026.2.21 and rely on OAuth for authentication, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade to a patched version of OpenClaw Client. Until a patch is available, implement stricter OAuth authorization policies to minimize the risk of exposure.
As of the disclosure date (2026-04-11), there are no confirmed reports of active exploitation of CVE-2026-3691. However, it’s crucial to apply the patch promptly to prevent potential future attacks.
Please refer to the official OpenClaw project website or security advisories for the most up-to-date information and patch releases related to CVE-2026-3691.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.