CVE-2026-27004 Overview
CVE-2026-27004 is an Information Exposure vulnerability affecting OpenClaw, a personal AI assistant application. Prior to version 2026.2.15, the OpenClaw session tools (sessions_list, sessions_history, sessions_send) allowed broader session targeting than intended in shared-agent deployments. This configuration and visibility-scoping issue impacts multi-user environments where peers are not equally trusted, potentially exposing transcript content across peer sessions.
Additionally, in Telegram webhook mode, the monitor startup did not properly fall back to the per-account webhookSecret when only the account-level secret was configured, creating a potential secret wiring misconfiguration.
Critical Impact
In shared-agent, multi-user, less-trusted environments, session-tool access could expose transcript content across peer sessions, leading to unauthorized information disclosure between users.
Affected Products
- OpenClaw versions prior to 2026.2.15
- OpenClaw for Node.js deployments
- OpenClaw Telegram webhook mode configurations
Discovery Timeline
- 2026-02-20 - CVE-2026-27004 published to NVD
- 2026-02-20 - Last updated in NVD database
Technical Details for CVE-2026-27004
Vulnerability Analysis
This vulnerability stems from improper visibility scoping in OpenClaw's session management tools. The session tools (sessions_list, sessions_history, sessions_send) lacked proper access control boundaries, allowing users in shared-agent deployments to access session data belonging to other users. This represents a classic broken access control pattern where the application fails to properly segment data access based on user context.
The vulnerability particularly affects multi-tenant or shared-agent configurations where multiple users interact with the same OpenClaw instance. In single-agent or fully trusted environments, the practical impact is limited since all users would already have equivalent access privileges.
A secondary issue exists in Telegram webhook mode where the secret fallback mechanism did not properly chain from monitor-level to account-level configuration, potentially leaving webhooks without proper authentication.
Root Cause
The root cause is an Information Exposure vulnerability (CWE-209) arising from insufficient visibility scoping in session tool implementations. The original code did not implement granular visibility controls, defaulting to overly permissive session access that could span across user boundaries in multi-user deployments.
Attack Vector
The attack vector is local, requiring an authenticated user within a shared OpenClaw deployment. An attacker with access to the shared agent could leverage the session tools to enumerate and retrieve transcript content from other users' sessions without proper authorization checks.
The fix introduces a SessionToolsVisibility type with four distinct visibility levels: self, tree, agent, and all. The patch implements proper resolution functions that clamp visibility based on sandbox context:
export type SessionToolsVisibility = "self" | "tree" | "agent" | "all";
export function resolveSessionToolsVisibility(cfg: OpenClawConfig): SessionToolsVisibility {
const raw = (cfg.tools as { sessions?: { visibility?: unknown } } | undefined)?.sessions
?.visibility;
const value = typeof raw === "string" ? raw.trim().toLowerCase() : "";
if (value === "self" || value === "tree" || value === "agent" || value === "all") {
return value;
}
return "tree";
}
export function resolveEffectiveSessionToolsVisibility(params: {
cfg: OpenClawConfig;
sandboxed: boolean;
}): SessionToolsVisibility {
const visibility = resolveSessionToolsVisibility(params.cfg);
if (!params.sandboxed) {
return visibility;
}
const sandboxClamp = params.cfg.agents?.defaults?.sandbox?.sessionToolsVisibility ?? "spawned";
if (sandboxClamp === "spawned" && visibility !== "tree") {
return "tree";
}
return visibility;
}
Source: GitHub Commit Details
Detection Methods for CVE-2026-27004
Indicators of Compromise
- Unusual patterns of sessions_list or sessions_history API calls from a single user targeting multiple session identifiers
- Cross-user session access attempts in application logs
- Unexpected session enumeration behavior in shared-agent deployments
Detection Strategies
- Monitor OpenClaw session tool invocations for access patterns that span multiple user contexts
- Review audit logs for sessions_list, sessions_history, and sessions_send tool usage
- Implement alerting on session access requests that target sessions outside the requesting user's ownership tree
Monitoring Recommendations
- Enable verbose logging for session tool operations in shared-agent deployments
- Audit webhook secret configuration in Telegram mode to ensure proper fallback behavior
- Monitor for configuration files missing explicit visibility scoping settings
How to Mitigate CVE-2026-27004
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.15 or later immediately
- Review shared-agent deployments to identify potentially affected environments
- Audit session access logs to determine if unauthorized cross-session access has occurred
- Verify Telegram webhook secret configuration includes explicit monitor-level overrides if applicable
Patch Information
OpenClaw version 2026.2.15 addresses this vulnerability by implementing proper session visibility scoping controls. The fix introduces a SessionToolsVisibility configuration option that allows administrators to explicitly define session access boundaries. The patch also corrects the webhook secret fallback mechanism in Telegram mode.
For detailed patch information, see the GitHub Security Advisory GHSA-6hf3-mhgc-cm65 and the commit implementing the fix.
Workarounds
- Restrict shared-agent deployments to fully trusted user groups until the patch can be applied
- Disable session tools (sessions_list, sessions_history, sessions_send) in multi-user environments if not required
- Configure explicit webhookSecret overrides at the monitor level for Telegram deployments
# Configuration example - Restricting session visibility in OpenClaw config
# Set session tools visibility to "self" to limit access to own sessions only
tools:
sessions:
visibility: "self"
# For Telegram webhook mode, ensure explicit webhook secret at monitor level
monitors:
telegram:
webhookSecret: "${MONITOR_WEBHOOK_SECRET}"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
