[Bug]: WhatsApp credentials leak across `--profile` boundaries

[juniorbra]

Bug type

Behavior bug (incorrect output/state without crash)

Beta release blocker

No

Summary

Component: extensions/whatsapp (Baileys web provider) + core state dir resolution
Severity: High — breaks SaaS isolation; one customer's WhatsApp session can end up in another's profile directory.
Version observed: openclaw 2026.4.9
Workaround available: Yes — set OPENCLAW_OAUTH_DIR explicitly in the profile's systemd unit.

Summary

When running OpenClaw with --profile <name> to create an isolated profile directory (~/.openclaw-<name>/), the WhatsApp plugin writes Baileys credentials to the main gateway's ~/.openclaw/credentials/whatsapp/default/ directory instead of the profile-isolated ~/.openclaw-<name>/credentials/whatsapp/default/.

This breaks the isolation guarantee that --profile is supposed to provide, and in a multi-tenant SaaS deployment (the documented "Multiple Gateways with Isolated Profiles" pattern) it can cause:

1. Session bleeding — one tenant's paired WhatsApp session becomes visible to another tenant that gets provisioned later.
2. Ghost "already linked" state — web.login.start returns "WhatsApp is already linked (+<number>)" on a freshly-provisioned profile because the Baileys runtime reads from the main credentials directory and finds a stale creds.json there.
3. Stream 440 conflict storms — when both the main gateway and an isolated profile gateway are running, they both try to use the same creds.json and fight each other on the WhatsApp Web WebSocket, producing an endless loop of status=440 Unknown Stream Errored (conflict) and restored corrupted WhatsApp creds.json from backup warnings.

Steps to reproduce

# Start from a clean state: no profile dir, no main creds
rm -rf ~/.openclaw-testcase
rm -rf ~/.openclaw/credentials/whatsapp/default

# Create an isolated profile
openclaw --profile testcase onboard \
  --non-interactive --accept-risk --flow quickstart \
  --workspace ~/.openclaw-testcase/workspace \
  --auth-choice openai-api-key --openai-api-key sk-... \
  --gateway-port 18900 --gateway-bind loopback \
  --gateway-auth token --skip-channels --skip-health

# Install and start as a systemd service
openclaw --profile testcase gateway install
openclaw --profile testcase gateway start

# Attempt WhatsApp login via the gateway
openclaw --profile testcase gateway call web.login.start \
  --params '{"accountId":"default"}' --json

# Observe where creds.json landed
find ~/.openclaw-testcase/credentials ~/.openclaw/credentials -name creds.json -printf '%p %s %TY-%Tm-%Td %TT\n' 2>/dev/null

Observed: creds.json (partial Baileys init state — noiseKey, registrationId, etc.) appears in ~/.openclaw/credentials/whatsapp/default/creds.json instead of ~/.openclaw-testcase/credentials/whatsapp/default/creds.json.

Expected: The freshly-created profile dir should receive the credentials, since it's running with OPENCLAW_STATE_DIR=~/.openclaw-testcase/ in its environment (verified via cat /proc/<gateway-pid>/environ).

Expected behavior

Evidence that the environment is set correctly

$ cat /proc/$(pgrep openclaw-gatewa)/environ | tr '\0' '\n' | grep OPENCLAW
OPENCLAW_STATE_DIR=/home/openclaw/.openclaw-sec-hilton-junior-bee9f2c4
OPENCLAW_CONFIG_PATH=/home/openclaw/.openclaw-sec-hilton-junior-bee9f2c4/openclaw.json
OPENCLAW_PROFILE=sec-hilton-junior-bee9f2c4
...

The gateway process has the correct OPENCLAW_STATE_DIR, and resolveStateDir() in src/config/paths.ts:65 does respect it. But something in the WhatsApp plugin's module initialization is caching the resolved oauthDir before the environment override takes effect, or is resolving the path via a code path that never consults the environment.

Actual behavior

Evidence from logs

From /tmp/openclaw/openclaw-2026-04-11.log, produced by the gateway running under profile sec-hilton-junior-bee9f2c4:

{"module":"web-session","credsPath":"/home/openclaw/.openclaw/credentials/whatsapp/default/creds.json","msg":"restored corrupted WhatsApp creds.json from backup"}
{"module":"web-reconnect","status":440,"error":"status=440 Unknown Stream Errored (conflict)"}
{"module":"web-inbound","error":"Error: rate-overlimit"}

The credsPath should be ~/.openclaw-sec-hilton-junior-bee9f2c4/..., but it's the main ~/.openclaw/....

OpenClaw version

2026.4.9

Operating system

Ubuntu 24.04

Install method

npm

Model

openai

Provider / routing chain

none

Additional provider/model setup details

No response

Logs, screenshots, and evidence

## Where the resolution likely goes wrong

Initial investigation points at `extensions/whatsapp/src/accounts.ts:47`:


export function listWhatsAppAuthDirs(cfg: OpenClawConfig): string[] {
  const oauthDir = resolveOAuthDir();   // ← no env arg passed
  ...
}


`resolveOAuthDir()` in `src/config/paths.ts:236` has a default of `process.env`, but if this function is imported and the result memoized at module-load time (before the profile's `OPENCLAW_STATE_DIR` is applied to `process.env` by `applyCliProfileEnv()` at `src/cli/profile.ts:110`), the resolved path will be wrong.

A similar pattern exists in `resolveDefaultAuthDir()` and `resolveLegacyAuthDir()` in the same file:


function resolveDefaultAuthDir(accountId: string): string {
  return path.join(resolveOAuthDir(), "whatsapp", normalizeAccountId(accountId));
}

function resolveLegacyAuthDir(): string {
  return resolveOAuthDir();
}


These do not accept a config/context argument and rely entirely on the ambient environment at call time.

## Workaround

Setting `OPENCLAW_OAUTH_DIR` explicitly in the profile's systemd unit file forces the path regardless of module init order:


[Service]
Environment=OPENCLAW_STATE_DIR=/home/openclaw/.openclaw-<profile>
Environment=OPENCLAW_OAUTH_DIR=/home/openclaw/.openclaw-<profile>/credentials
Environment=OPENCLAW_CONFIG_PATH=/home/openclaw/.openclaw-<profile>/openclaw.json


After `systemctl --user daemon-reload` and restart, `creds.json` lands in the profile dir and stays isolated. Verified: the WhatsApp session pairs cleanly via `openclaw --profile <profile> channels login` and all 800+ Baileys state files end up under `~/.openclaw-<profile>/credentials/whatsapp/default/`.

## Suggested fix

1. **Pass the config/env explicitly.** `listWhatsAppAuthDirs(cfg)`, `resolveDefaultAuthDir(accountId)`, and `resolveLegacyAuthDir()` should accept an explicit `env` or `stateDir` argument and thread it through to `resolveOAuthDir()`, instead of relying on `process.env` at the moment of the (possibly lazy) call.
2. **Avoid top-level caching.** Any module that does `const OAUTH_DIR = resolveOAuthDir()` at load time is a latent isolation bug under `--profile`. These should be deferred or invoked with the runtime env.
3. **Doctor check.** `openclaw --profile <name> doctor` should warn when it detects `credsPath` outside the profile's state dir, pointing at the workaround above until the fix lands.
4. **Consider documenting `OPENCLAW_OAUTH_DIR`** as a supported isolation mechanism so SaaS operators don't have to infer it from source.

Impact and severity

For single-user, single-profile deployments this is invisible (the main profile just writes to its own dir). For multi-tenant SaaS (~/.openclaw-<tenant>/ pattern), it's a hard blocker: any tenant that provisions after another tenant has paired WhatsApp will inherit that tenant's session state, and the gateways of both tenants will fight over the same Baileys credentials on the Meta WebSocket.

Additional information

No response

[neeravmakwana]

Opened #64563 to lazy-resolve the default WhatsApp web auth dir and route OAuth root resolution through explicit resolveOAuthDir(process.env) in accounts.ts, with unit tests under OPENCLAW_STATE_DIR.

[lui62233]

這是一個 Critical Security Bug，你的 root cause 分析完全正確

你的分析非常精確——問題在於 resolveOAuthDir() 在模組加載時被 memoized（緩存），而此時 OPENCLAW_STATE_DIR 還沒有被 applyCliProfileEnv() 設置，導致 credentials 被寫到了 main profile 的目錄而不是隔離的 profile 目錄。

問題的核心：

模組頂層的 const 初始化在 module load 時就確定了值，而不是在第一次調用時。如果 module A 在 applyCliProfileEnv() 之前就被加載了，那麼 resolveOAuthDir() 就會用到錯誤的環境變數。

你的 fix 建議非常合理，補充一點：

// 修復方案：不要在 module load 時解析，改為每次調用時動態解析
// 但這需要改架構，成本較高

// 更好的方案：讓 resolveOAuthDir 接受可選的 stateDir 參數
export function resolveOAuthDir(stateDir?: string): string {
  const base = stateDir || process.env.OPENCLAW_STATE_DIR || defaultStateDir;
  return path.join(base, "credentials");
}

然後在 listWhatsAppAuthDirs 等函數裡，把 cfg.stateDir 傳進去。

另外建議加一個 doctor check：
在 openclaw doctor 裡檢測 credsPath 是否在 profile 的 state dir 內，如果不在就 warn——這個在你描述的建議里已經提到了，這樣 SaaS operator 能夠及時發現問題。

這個 bug 在 multi-tenant 環境下是 hard blocker，建議在 GitHub 上開一個 security advisory——因為 session bleeding 可能導致一個 tenant 看到另一個 tenant 的 WhatsApp 消息。

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open. Current main still resolves the WhatsApp default and account auth directories through ambient OAuth state, and the open fixing PR at #82492 explicitly closes this issue but has not landed.

Reproducibility: yes. at source level. The issue provides concrete profile-gateway steps and logs, and current main still has the default and account WhatsApp auth-dir paths resolving from ambient OAuth state instead of explicit active profile context.

Next step
No separate repair lane because #82492 already closes this issue and should be reviewed or revised instead of spawning a competing fix.

Security
Needs attention: WhatsApp credential/session path isolation remains security-sensitive for multi-profile and multi-tenant deployments.

Review details

Best possible solution:

Review and land a focused WhatsApp auth-dir fix through #82492 or an equivalent patch that resolves Baileys auth paths from the active profile state with regression coverage.

Do we have a high-confidence way to reproduce the issue?

Yes, at source level. The issue provides concrete profile-gateway steps and logs, and current main still has the default and account WhatsApp auth-dir paths resolving from ambient OAuth state instead of explicit active profile context.

Is this the best way to solve the issue?

Yes. A WhatsApp-owned auth-dir resolution fix with regression coverage is the narrow maintainable solution; documenting OPENCLAW_OAUTH_DIR alone would leave the credential-isolation bug in place.

Label changes:

• remove clawsweeper:linked-pr-open: Current issue advisory state no longer selects this label.

Label justifications:

• P1: The report describes cross-profile WhatsApp credential/session leakage affecting multi-profile gateway deployments.
• impact:security: The issue is about credentials being read or written outside the active profile boundary.
• impact:session-state: The reported failure can make one profile reuse another profile's WhatsApp session state and fight over Baileys state files.
• impact:auth-provider: The affected surface is credential and auth-directory resolution for the WhatsApp channel provider.

Security concerns:

• [high] Bind WhatsApp credentials to the active profile — extensions/whatsapp/src/auth-store.ts:46
  The default WhatsApp auth export is computed from ambient OAuth state at module load, so an early import can pin Baileys credentials under the default state dir instead of the active profile state dir.
  Confidence: 0.9
• [medium] Thread profile state through account auth discovery — extensions/whatsapp/src/accounts.ts:53
  Account discovery and default/legacy auth-dir helpers call resolveOAuthDir() without explicit env or state dir, so auth detection can drift from the profile boundary promised by the multiple-gateways docs.
  Confidence: 0.86

What I checked:

• Current main eagerly resolves the default WhatsApp auth dir: resolveDefaultWebAuthDir() calls resolveOAuthDir() with no explicit env or state dir, and WA_WEB_AUTH_DIR is assigned from it at module evaluation time. (extensions/whatsapp/src/auth-store.ts:42, 016c34ff1d2a)
• Current main account discovery also uses ambient OAuth state: listWhatsAppAuthDirs(), resolveDefaultAuthDir(), and resolveLegacyAuthDir() call resolveOAuthDir() without threading the active profile env/state dir. (extensions/whatsapp/src/accounts.ts:52, 016c34ff1d2a)
• Profile state-dir support exists in core: resolveOAuthDir(env, stateDir) derives credentials from the supplied or env-resolved state dir, while applyCliProfileEnv() fills OPENCLAW_STATE_DIR and profile config paths. (src/config/paths.ts:276, 016c34ff1d2a)
• Docs promise per-gateway credential isolation: The multiple-gateways guide lists OPENCLAW_STATE_DIR as the per-instance location for sessions, creds, and caches, matching the reporter's expected profile boundary. Public docs: docs/gateway/multiple-gateways.md. (docs/gateway/multiple-gateways.md:117, 016c34ff1d2a)
• Baileys uses the supplied folder as the credential store: OpenClaw passes the resolved auth dir into useMultiFileAuthState(authDir), and Baileys v7.0.0-rc12 joins that folder with creds.json and key files, so a wrong folder selects the wrong session state. (extensions/whatsapp/src/session.ts:150, 016c34ff1d2a)
• A linked fix PR is open and unmerged: Live GitHub state shows fix(whatsapp): resolve auth dir from active profile #82492 is open, mergeable, and has a closing reference to this issue, with changes touching the WhatsApp auth-dir files and regression tests. (f753b2ec2465)

Likely related people:

• steipete: Recent history shows repeated work on WhatsApp auth/store surfaces, plugin SDK boundaries, CLI profile/path handling, and state-dir behavior adjacent to this bug. (role: recent area contributor; confidence: high; commits: 9ec9fbf58d86, 694ca50e9775, 827b0de0ce74; files: extensions/whatsapp/src/auth-store.ts, extensions/whatsapp/src/accounts.ts, src/config/paths.ts)
• mcaxtr: Recent commits touched WhatsApp credential safety, auth stabilization, multi-account inbound state, and account configuration near the affected auth-dir surface. (role: recent WhatsApp account/session contributor; confidence: high; commits: de743c5a543e, 194f0786d4e9, aa76cf43f011; files: extensions/whatsapp/src/auth-store.ts, extensions/whatsapp/src/accounts.ts)
• vincentkoc: Recent history includes WhatsApp auth-conflict recovery and config path tightening adjacent to credential and profile-state behavior. (role: recent adjacent contributor; confidence: medium; commits: 7950a1802510, 93fbe26adbbc, e2a628b5a104; files: extensions/whatsapp/src/auth-store.ts, extensions/whatsapp/src/accounts.ts, src/config/paths.ts)

Remaining risk / open question:

• No live WhatsApp pairing or systemd profile-gateway run was executed in this read-only review; the current-main proof is source-level plus the reporter logs and dependency contract.
• The linked fix PR is still open, so current main users can still hit the profile credential-isolation failure until a fix lands.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 016c34ff1d2a.