OpenClaw versions prior to 2026.2.12 use non-constant-time string comparison for hook token validation, allowing attackers to infer tokens through timing measur…

OpenClaw versions prior to 2026.2.12 contain a timing side-channel vulnerability in hook token validation. The application uses non-constant-time string comparison for authentication token validation, allowing remote attackers with network access to the hooks endpoint to infer authentication tokens through timing measurements. Attackers can exploit this timing side-channel across multiple requests to gradually determine the complete authentication token. This vulnerability affects the authentication mechanism and could lead to unauthorized access to the hooks endpoint. The issue has been addressed in version 2026.2.12 and later.