CVE-2026-26326 Overview
CVE-2026-26326 is an information disclosure vulnerability in OpenClaw, a personal AI assistant application. Prior to version 2026.2.14, the skills.status endpoint could inadvertently expose sensitive configuration secrets to clients with only operator.read permissions. The vulnerability occurs when raw resolved config values are returned in configChecks for skill requires.config paths, potentially leaking sensitive credentials such as Discord API tokens.
Critical Impact
Unauthorized clients with read-scoped permissions can extract sensitive secrets including Discord tokens from the OpenClaw configuration, potentially enabling account takeover or further unauthorized access to integrated services.
Affected Products
- OpenClaw versions prior to 2026.2.14
- OpenClaw installations with Discord skill integration
- Systems exposing the skills.status API endpoint to read-scoped clients
Discovery Timeline
- 2026-02-19 - CVE-2026-26326 published to NVD
- 2026-02-19 - Last updated in NVD database
Technical Details for CVE-2026-26326
Vulnerability Analysis
This vulnerability falls under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The core issue stems from the skills.status function returning more information than necessary to clients authenticated with limited read-only permissions.
When a client with operator.read scope queries the status of configured skills, the API endpoint returns the full configChecks response including resolved configuration values. These resolved values contain sensitive secrets such as API tokens that should not be accessible to read-scoped clients. The vulnerability is network-accessible and requires only low-privilege authenticated access, making it exploitable by any authenticated user with read permissions.
Root Cause
The root cause lies in the overly verbose response structure of the skill requirement checking mechanism. When validating whether a skill's configuration requirements are satisfied, the system returned the actual resolved configuration values rather than a simple boolean status indicating satisfaction. This design flaw meant that any client capable of querying skill status could extract the underlying secrets used to satisfy those requirements.
Attack Vector
An attacker with legitimate operator.read access to an OpenClaw instance can exploit this vulnerability through the following mechanism:
The attack is network-based and requires authenticated access with read-level permissions. The attacker queries the skills.status endpoint, which returns configuration check results. In vulnerable versions, these results include the raw resolved configuration values for paths specified in skill requires.config definitions. For the Discord skill specifically, this means the Discord bot token could be extracted and used to impersonate or hijack the configured Discord bot.
The vulnerability mechanism involves the skill status endpoint returning complete configuration data rather than sanitized status information. Technical details can be found in the GitHub Security Advisory and the associated commit fix.
Detection Methods for CVE-2026-26326
Indicators of Compromise
- Unusual or frequent queries to the skills.status API endpoint from read-scoped clients
- Authentication logs showing multiple status check requests from the same client
- Evidence of Discord bot token usage from unexpected IP addresses or services
- Unauthorized actions performed through integrated Discord bots
Detection Strategies
- Monitor API access logs for repeated skills.status endpoint calls, particularly from clients with limited permissions
- Implement alerting on Discord bot activity originating from unrecognized sources
- Review access logs for patterns indicating systematic enumeration of skill configurations
- Audit OAuth/API token usage for read-scoped clients accessing sensitive endpoints
Monitoring Recommendations
- Enable verbose logging on the skills.status endpoint to capture client permission levels and request patterns
- Set up alerts for Discord API usage anomalies that may indicate token compromise
- Implement rate limiting on status check endpoints to detect and prevent enumeration attempts
- Monitor for new or unexpected integrations using potentially compromised Discord tokens
How to Mitigate CVE-2026-26326
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.14 or later immediately
- Rotate all Discord tokens that may have been exposed to read-scoped clients
- Audit access logs to identify potential unauthorized access to configuration secrets
- Review all clients with operator.read permissions and revoke unnecessary access
Patch Information
Version 2026.2.14 addresses this vulnerability through two key changes. First, the requirement check response now returns only { path, satisfied } instead of raw resolved configuration values, eliminating the information leak. Second, the Discord skill requirement has been narrowed to reference only the token key path rather than broader configuration paths.
For detailed patch information, see the GitHub Release Notes and the associated commits:
Workarounds
- Restrict operator.read access to trusted clients only until the patch can be applied
- Implement network-level access controls to limit which clients can reach the skills.status endpoint
- Temporarily disable the Discord skill integration if token exposure is a critical concern
- Deploy API gateway rules to filter or redact sensitive data from skill status responses
# Configuration example
# Rotate Discord bot token after upgrading
# 1. Generate new token in Discord Developer Portal
# 2. Update OpenClaw configuration with new token
openclaw config set discord.token "NEW_TOKEN_VALUE"
# 3. Verify skill status no longer exposes secrets
openclaw skills status --verbose
# 4. Revoke the old token in Discord Developer Portal
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
