Description
OpenClaw is a personal AI assistant. Telegram bot tokens can appear in error messages and stack traces (for example, when request URLs include `https://api.telegram.org/bot<token>/...`). Prior to version 2026.2.15, OpenClaw logged these strings without redaction, which could leak the bot token into logs, crash reports, CI output, or support bundles. Disclosure of a Telegram bot token allows an attacker to impersonate the bot and take over Bot API access. Users should upgrade to version 2026.2.15 to obtain a fix and rotate the Telegram bot token if it may have been exposed.
Published: 2026-02-19
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Telegram Bot Token Exposure
Action: Immediate Patch
AI Analysis

Impact

OpenClaw logs raw Telegram bot tokens in error messages and stack traces when request URLs contain the bot token. The exposed token enables an attacker to impersonate the bot and gain full Bot API access. This is a credential exposure weakness, classified as CWE‑522, and could compromise the confidentiality and integrity of bot-controlled interactions.

Affected Systems

OpenClaw, version 2026.2.14 and earlier on the OpenClaw personal AI assistant platform, runs on node.js. Any user deploying or running this application before 2026.2.15 may have written bot tokens into logs, crash reports, CI output, or support bundles.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation at this time. The vulnerability is not currently cataloged in CISA's KEV list. Attackers would need access to application logs or other outputs to retrieve the compromised token, implying a local or compromised system or compromised CI pipeline as the probable attack vector. Once the token is obtained, the attacker can use the Telegram Bot API to impersonate the bot, send messages, and perform any action allowed by the bot's permissions.

Generated by OpenCVE AI on April 17, 2026 at 17:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenClaw version 2026.2.15 or later to apply the log redaction fix.
  • Immediately rotate any Telegram bot tokens that may have been exposed prior to the update.
  • Restrict access to logs, crash reports, CI output, and support bundles, and ensure log rotation and secure storage policies are enforced.

Generated by OpenCVE AI on April 17, 2026 at 17:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-chf7-jq6g-qrwv OpenClaw: Telegram bot token exposure via logs
History

Fri, 20 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Fri, 20 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Openclaw
Openclaw openclaw
Vendors & Products Openclaw
Openclaw openclaw

Thu, 19 Feb 2026 23:30:00 +0000

Type Values Removed Values Added
Description OpenClaw is a personal AI assistant. Telegram bot tokens can appear in error messages and stack traces (for example, when request URLs include `https://api.telegram.org/bot<token>/...`). Prior to version 2026.2.15, OpenClaw logged these strings without redaction, which could leak the bot token into logs, crash reports, CI output, or support bundles. Disclosure of a Telegram bot token allows an attacker to impersonate the bot and take over Bot API access. Users should upgrade to version 2026.2.15 to obtain a fix and rotate the Telegram bot token if it may have been exposed.
Title OpenClaw: Telegram bot token exposure via logs
Weaknesses CWE-522
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-20T15:37:51.627Z

Reserved: 2026-02-17T03:08:23.489Z

Link: CVE-2026-27003

cve-icon Vulnrichment

Updated: 2026-02-20T15:27:00.759Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T00:16:16.983

Modified: 2026-02-20T18:06:29.497

Link: CVE-2026-27003

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:45:24Z

Weaknesses