Medium severity6.5NVD Advisory· Published Apr 28, 2026· Updated May 1, 2026
CVE-2026-41385
CVE-2026-41385
Description
OpenClaw before 2026.3.31 stores Nostr privateKey as plaintext in configuration, allowing exposure through config.get method calls that bypass redaction mechanisms. Attackers can retrieve unredacted configuration data to obtain plaintext signing keys used for Nostr protocol operations.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.3.31 | 2026.3.31 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/openclaw/openclaw/commit/57700d716f660591fb6e09727f3ca8041fa48b9dnvdPatchWEB
- github.com/advisories/GHSA-jjw7-3vjf-fg5jghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-jjw7-3vjf-fg5jnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-41385ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-nostr-private-key-exposure-via-config-get-redaction-bypassnvdThird Party AdvisoryWEB
- github.com/openclaw/openclaw/releases/tag/v2026.3.31ghsaWEB
News mentions
0No linked articles in our index yet.