Description
OpenClaw before 2026.3.13 contains an information disclosure vulnerability in the fetchRemoteMedia function that exposes Telegram bot tokens in error messages. When media downloads fail, the original Telegram file URLs containing bot tokens are embedded in MediaFetchError strings and leaked to logs and error surfaces.
Published: 2026-03-31
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Bot Token Disclosure
Action: Patch immediately
AI Analysis

Impact

The vulnerability originates in OpenClaw’s fetchRemoteMedia function. When a media download fails, the original Telegram file URL, which contains the bot’s authentication token, is inserted into an error string. This string is then logged or displayed to users, exposing the token to anyone with log or error surface access. The exposed token allows an attacker to take over the bot, potentially sending messages, retrieving private data, or executing commands. The weakness is an information‑disclosure flaw (CWE‑532).

Affected Systems

The issue affects all OpenClaw deployments using the fetchRemoteMedia routine that run versions prior to 2026.3.13. Any installation of the open‑source bot or media server that has not applied the 2026.3.13 update remains vulnerable.

Risk and Exploitability

With a CVSS score of 8.7 the flaw carries high severity. Although EPSS data is unavailable, the bug can be triggered simply by causing a media download to fail— for example with a malformed URL or network interruption. The token leakage occurs immediately and does not require elevation of privileges, making the attack surface broad. The vulnerability is not yet listed in the CISA KEV catalog, but its ease of exploitation and potential to compromise a bot warrant prompt action.

Generated by OpenCVE AI on March 31, 2026 at 12:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.3.13 or later
  • Verify that logs no longer contain the bot token after the update
  • If an immediate upgrade is not possible, restrict log visibility and remove bot tokens from error messages

Generated by OpenCVE AI on March 31, 2026 at 12:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 31 Mar 2026 11:45:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.13 contains an information disclosure vulnerability in the fetchRemoteMedia function that exposes Telegram bot tokens in error messages. When media downloads fail, the original Telegram file URLs containing bot tokens are embedded in MediaFetchError strings and leaked to logs and error surfaces.
Title OpenClaw < 2026.3.13 - Telegram Bot Token Exposure in Media Fetch Error Logs
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-532
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-31T11:17:19.343Z

Reserved: 2026-03-17T11:31:56.956Z

Link: CVE-2026-32982

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-31T12:16:29.850

Modified: 2026-03-31T12:16:29.850

Link: CVE-2026-32982

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:38:58Z

Weaknesses