Impact
OpenClaw 2026.4.23 and earlier suffer from an insecure file permissions vulnerability during configuration recovery. When the recovery process restores the OpenClaw.json file, the permissions applied allow any local user on a shared host to read the file. This permits an attacker to gain access to sensitive configuration data, potentially revealing credentials, API keys, or other secrets. The weakness originates from improper file permission handling (CWE-732).
Affected Systems
This vulnerability affects all installations of OpenClaw using versions 2026.4.23 or earlier. Updating to 2026.4.24 or later eliminates the issue.
Risk and Exploitability
With a CVSS score of 5.7 the vulnerability presents moderate severity, and the EPSS score of less than 1% indicates a low probability of exploitation. It is not currently listed in CISA's KEV catalog. The attack is local; an attacker who can run code or trigger the recovery path on a shared system can read the restored OpenClaw.json file and extract confidential data.
OpenCVE Enrichment
Github GHSA