Description
OpenClaw is a personal AI assistant. Prior to version 2026.2.15, in some shared-agent deployments, OpenClaw session tools (`sessions_list`, `sessions_history`, `sessions_send`) allowed broader session targeting than some operators intended. This is primarily a configuration/visibility-scoping issue in multi-user environments where peers are not equally trusted. In Telegram webhook mode, monitor startup also did not fall back to per-account `webhookSecret` when only the account-level secret was configured. In shared-agent, multi-user, less-trusted environments: session-tool access could expose transcript content across peer sessions. In single-agent or trusted environments, practical impact is limited. In Telegram webhook mode, account-level secret wiring could be missed unless an explicit monitor webhook secret override was provided. Version 2026.2.15 fixes the issue.
Published: 2026-02-19
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Session Access
Action: Patch
AI Analysis

Impact

OpenClaw session tools – sessions_list, sessions_history, sessions_send – were able to target and access higher‑level sessions than intended in shared‑agent configurations, exposing transcript content across peer sessions. Additionally, in Telegram webhook mode the system did not fall back to a per‑account `webhookSecret` when only an account‑level secret existed, which could allow an attacker to intercept Telegram messages if the wrong secret is used. The underlying weaknesses correspond to CWE‑209 (information exposure) and CWE‑346 (broken access control).

Affected Systems

The vulnerability affects OpenClaw deployments running any version older than 2026.2.15, especially those configured for shared‑agent, multi‑user scenarios. It is also relevant for deployments using Telegram webhook monitoring without an explicit per‑account webhook secret override. Vendors and product owners should verify that their instances fall into this older version range.

Risk and Exploitability

The CVSS v3.1 base score is 6.9, reflecting moderate severity. EPSS indicates exploitation probability is below 1 % and the flaw is not listed in the CISA KEV catalog, suggesting it is not currently known to be widely exploited. Inferred attack vector is a local or network attacker who can join or interact in a shared‑agent session or who can manipulate the Telegram webhook configuration in a trusted account. Exploitation requires the attacker to be present in the same shared‑agent context or to control the Telegram monitoring endpoint, after which the attacker may read or interfere with session transcripts or compromise message handling.

Generated by OpenCVE AI on April 17, 2026 at 17:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.2.15 or later to apply the session‑visibility and webhook‑secret fixes.
  • Reassess shared‑agent session‑tool permissions and restrict visibility so that peers cannot access sessions beyond their intended scope.
  • When configuring Telegram webhook monitoring, explicitly set a per‑account `webhookSecret` override; avoid relying on the default account‑level secret unless the override is provided.

Generated by OpenCVE AI on April 17, 2026 at 17:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6hf3-mhgc-cm65 OpenClaw session tool visibility hardening and Telegram webhook secret fallback
History

Fri, 20 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Fri, 20 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Openclaw
Openclaw openclaw
Vendors & Products Openclaw
Openclaw openclaw

Thu, 19 Feb 2026 23:45:00 +0000

Type Values Removed Values Added
Description OpenClaw is a personal AI assistant. Prior to version 2026.2.15, in some shared-agent deployments, OpenClaw session tools (`sessions_list`, `sessions_history`, `sessions_send`) allowed broader session targeting than some operators intended. This is primarily a configuration/visibility-scoping issue in multi-user environments where peers are not equally trusted. In Telegram webhook mode, monitor startup also did not fall back to per-account `webhookSecret` when only the account-level secret was configured. In shared-agent, multi-user, less-trusted environments: session-tool access could expose transcript content across peer sessions. In single-agent or trusted environments, practical impact is limited. In Telegram webhook mode, account-level secret wiring could be missed unless an explicit monitor webhook secret override was provided. Version 2026.2.15 fixes the issue.
Title OpenClaw session tool visibility hardening and Telegram webhook secret fallback
Weaknesses CWE-209
CWE-346
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-20T15:37:31.097Z

Reserved: 2026-02-17T03:08:23.489Z

Link: CVE-2026-27004

cve-icon Vulnrichment

Updated: 2026-02-20T15:26:57.224Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T00:16:17.140

Modified: 2026-02-20T18:05:44.527

Link: CVE-2026-27004

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:45:24Z

Weaknesses