Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Blast Radius
ecosystem impact- 1 npm packages depend on openclaw (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.2.17.
DescriptionCVE.org
OpenClaw before 2026.2.17 creates session transcript JSONL files with overly broad default permissions, allowing local users to read transcript contents. Attackers with local access can read transcript files to extract sensitive information including secrets from tool output.
AnalysisAI
OpenClaw before 2026.2.17 stores session transcript JSONL files with overly permissive default file permissions, enabling local authenticated users to read transcript contents and extract sensitive information including secrets from tool output. The vulnerability requires local access and authenticated status on the system, affecting confidentiality of cached session data. No public exploit code or active exploitation has been confirmed, though the attack surface is high given the local nature and ease of file access.
Technical ContextAI
OpenClaw uses JSONL (JSON Lines) format for session transcript storage, a standard text-based format for logging structured data. The underlying issue is a file permission misconfiguration (CWE-378: Insecure Default Permissions) where transcript files are created with permissions that allow unintended local users to read contents. This occurs during session creation or logging operations. The affected CPE cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:* indicates all versions before 2026.2.17 are vulnerable. Session transcripts typically contain tool outputs, model responses, and potentially embedded credentials or secrets passed through the application, making their disclosure a significant information disclosure vector.
RemediationAI
Vendor-released patch: OpenClaw 2026.2.17 or later. Users should upgrade immediately to apply the fix, which addresses the file permission configuration issue. The upstream fix is available at https://github.com/openclaw/openclaw/commit/095d522099653367e1b76fa5bb09d4ddf7c8a57c. As an interim workaround for users unable to patch immediately, manually restrict access to session transcript directories using OS-level file permissions (e.g., chmod 700 on Linux/macOS, or restrictive ACLs on Windows) to prevent unauthorized local access. Review and secure any transcript files created prior to patching to ensure no sensitive data remains accessible.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17024