CVE-2026-43895

jq versions 1.8.1 and earlier are affected: embedded NUL bytes in import paths at the jq-language level can be resolved differently during module/data-file lookup, creating a mismatch between the logical import string and the on-disk path opened. This mismatch can enable a local redaction-policy ...

CVE-2026-43895 jq: Embedded NUL in jq import paths causes local redaction-policy bypass and preserves sensitive fields in published artifacts

jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level, but later resolves those paths through C string operations during module and data-file lookup. This creates a mismatch between the logical import string that policy o...

CVE-2026-43528

OpenClaw before 2026.4.14 contains a redaction bypass vulnerability that allows authenticated gateway clients to receive unredacted secrets through sourceConfig and runtimeConfig alias fields. Attackers with config read access can exploit this to obtain provider API keys, gateway authentication...

CVE-2026-43528

OpenClaw before 2026.4.14 contains a redaction bypass vulnerability that allows authenticated gateway clients to receive unredacted secrets through sourceConfig and runtimeConfig alias fields. Attackers with config read access can exploit this to obtain provider API keys, gateway authentication...

EUVD-2026-27267

OpenClaw before 2026.4.14 contains a redaction bypass vulnerability that allows authenticated gateway clients to receive unredacted secrets through sourceConfig and runtimeConfig alias fields. Attackers with config read access can exploit this to obtain provider API keys, gateway authentication...

CVE-2026-43528 OpenClaw < 2026.4.14 - Redaction Bypass via sourceConfig and runtimeConfig Aliases

OpenClaw before 2026.4.14 contains a redaction bypass vulnerability that allows authenticated gateway clients to receive unredacted secrets through sourceConfig and runtimeConfig alias fields. Attackers with config read access can exploit this to obtain provider API keys, gateway authentication...

CVE-2026-43528

OpenClaw before 2026.4.14 contains a redaction bypass vulnerability that allows authenticated gateway clients to receive unredacted secrets through sourceConfig and runtimeConfig alias fields. Attackers with config read access can exploit this to obtain provider API keys, gateway authentication...

CVE-2026-43528

OpenClaw, prior to version 2026.4.14, is affected by a redaction bypass vulnerability that lets authenticated gateway clients read unredacted secrets via the sourceConfig and runtimeConfig aliases. Attackers with config read access can obtain sensitive material such as provider API keys, gateway ...

CVE-2026-43528 OpenClaw < 2026.4.14 - Redaction Bypass via sourceConfig and runtimeConfig Aliases

OpenClaw before 2026.4.14 contains a redaction bypass vulnerability that allows authenticated gateway clients to receive unredacted secrets through sourceConfig and runtimeConfig alias fields. Attackers with config read access can exploit this to obtain provider API keys, gateway authentication...

CVE-2026-41385

OpenClaw before 2026.3.31 stores Nostr privateKey as plaintext in configuration, allowing exposure through config.get method calls that bypass redaction mechanisms. Attackers can retrieve unredacted configuration data to obtain plaintext signing keys used for Nostr protocol operations...

CVE-2026-41385 OpenClaw < 2026.3.31 - Nostr Private Key Exposure via config.get Redaction Bypass

OpenClaw before 2026.3.31 stores Nostr privateKey as plaintext in configuration, allowing exposure through config.get method calls that bypass redaction mechanisms. Attackers can retrieve unredacted configuration data to obtain plaintext signing keys used for Nostr protocol operations...

CVE-2026-41385

OpenClaw vulnerability CVE-2026-41385 affects the OpenClaw npm package. The issue is that prior to version 2026.3.31, the Nostr privateKey is stored as plaintext in configuration and can be exposed via config.get calls that bypass redaction. This allows retrieval of unredacted configuration data ...

PT-2026-35770

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.31 Description The software stores the Nostr privateKey as plaintext within the configuration. This allows the exposure of plaintext signing keys used for Nostr protocol operations through calls to the...

SUSE CVE-2026-41182

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to version 0.5.19 of the JavaScript SDK and version 0.7.31 of the Python SDK, the LangSmith SDK's output redaction controls hideOutputs in JS, hideoutputs in Python do not apply to streaming token events. When ...

CVE-2026-32690 Apache Airflow: 3.x - Nested Variable Secret Values Bypass Redaction via max_depth=1

Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked. If you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to...

OpenClaw: config.get redaction bypass through sourceConfig and runtimeConfig aliases

Summary config.get redaction bypass through sourceConfig and runtimeConfig aliases. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.14 Impact An authenticated gateway client with config read access could receive unredacted secrets through alias fiel...

GHSA-8372-7VHW-CM6Q OpenClaw: config.get redaction bypass through sourceConfig and runtimeConfig aliases

Summary config.get redaction bypass through sourceConfig and runtimeConfig aliases. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.14 Impact An authenticated gateway client with config read access could receive unredacted secrets through alias fiel...

PT-2026-37014

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.14 Description A redaction bypass exists that allows authenticated gateway clients with config read access to receive unredacted secrets. This occurs through the sourceConfig and runtimeConfig alias fields,...

LangSmith SDK: Streaming token events bypass output redaction

Summary The LangSmith SDK's output redaction controls hideOutputs in JS, hideoutputs in Python do not apply to streaming token events. When an LLM run produces streaming output, each chunk is recorded as a newtoken event containing the raw token value. These events bypass the redaction pipeline...

GHSA-RR7J-V2Q5-CHGV LangSmith SDK: Streaming token events bypass output redaction

Summary The LangSmith SDK's output redaction controls hideOutputs in JS, hideoutputs in Python do not apply to streaming token events. When an LLM run produces streaming output, each chunk is recorded as a newtoken event containing the raw token value. These events bypass the redaction pipeline...