CVE-2026-27004

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, in some shared-agent deployments, OpenClaw session tools (`sessions_list`, `sessions_history`, `sessions_send`) allowed broader session targeting than some operators intended. This is primarily a configuration/visibility-scoping issue in multi-user environments where peers are not equally trusted. In Telegram webhook mode, monitor startup also did not fall back to per-account `webhookSecret` when only the account-level secret was configured. In shared-agent, multi-user, less-trusted environments: session-tool access could expose transcript content across peer sessions. In single-agent or trusted environments, practical impact is limited. In Telegram webhook mode, account-level secret wiring could be missed unless an explicit monitor webhook secret override was provided. Version 2026.2.15 fixes the issue.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/openclaw/openclaw/commit/c6c53437f7da033b94a01d492e904974e7bda74c	Patch
https://github.com/openclaw/openclaw/security/advisories/GHSA-6hf3-mhgc-cm65	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2026-02-20 00:16

Updated : 2026-02-20 18:05

NVD link : CVE-2026-27004

Mitre link : CVE-2026-27004

CVE.ORG link : CVE-2026-27004

JSON object : View

Products Affected

openclaw

openclaw

CWE

CWE-209

Generation of Error Message Containing Sensitive Information

CWE-346

Origin Validation Error

{"id": "CVE-2026-27004", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-20T00:16:17.140", "references": [{"url": "https://github.com/openclaw/openclaw/commit/c6c53437f7da033b94a01d492e904974e7bda74c", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6hf3-mhgc-cm65", "tags": ["Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-209"}, {"lang": "en", "value": "CWE-346"}]}], "descriptions": [{"lang": "en", "value": "OpenClaw is a personal AI assistant. Prior to version 2026.2.15, in some shared-agent deployments, OpenClaw session tools (`sessions_list`, `sessions_history`, `sessions_send`) allowed broader session targeting than some operators intended. This is primarily a configuration/visibility-scoping issue in multi-user environments where peers are not equally trusted. In Telegram webhook mode, monitor startup also did not fall back to per-account `webhookSecret` when only the account-level secret was configured. In shared-agent, multi-user, less-trusted environments: session-tool access could expose transcript content across peer sessions. In single-agent or trusted environments, practical impact is limited. In Telegram webhook mode, account-level secret wiring could be missed unless an explicit monitor webhook secret override was provided. Version 2026.2.15 fixes the issue."}, {"lang": "es", "value": "OpenClaw es un asistente personal de IA. Antes de la versi\u00f3n 2026.2.15, en algunas implementaciones de agente compartido, las herramientas de sesi\u00f3n de OpenClaw ('sessions_list', 'sessions_history', 'sessions_send') permit\u00edan una segmentaci\u00f3n de sesi\u00f3n m\u00e1s amplia de lo que algunos operadores pretend\u00edan. Esto es principalmente un problema de configuraci\u00f3n/alcance de visibilidad en entornos multiusuario donde los pares no son igualmente confiables. En modo webhook de Telegram, el inicio del monitor tampoco recurr\u00eda al 'webhookSecret' por cuenta cuando solo se configuraba el secreto a nivel de cuenta. En entornos de agente compartido, multiusuario y menos confiables: el acceso a las herramientas de sesi\u00f3n podr\u00eda exponer el contenido de la transcripci\u00f3n a trav\u00e9s de sesiones de pares. En entornos de agente \u00fanico o confiables, el impacto pr\u00e1ctico es limitado. En modo webhook de Telegram, la conexi\u00f3n del secreto a nivel de cuenta podr\u00eda pasarse por alto a menos que se proporcionara una anulaci\u00f3n expl\u00edcita del secreto del webhook del monitor. La versi\u00f3n 2026.2.15 corrige el problema."}], "lastModified": "2026-02-20T18:05:44.527", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "3CD9AC99-DDDF-4177-9253-04A63CA027DC", "versionEndExcluding": "2026.2.15"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}