Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-27004

CVE-2026-27004: OpenClaw Information Disclosure Flaw

CVE-2026-27004 is an information disclosure vulnerability in OpenClaw that exposes session data in multi-user deployments. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-27004 Overview

CVE-2026-27004 is an Information Exposure vulnerability affecting OpenClaw, a personal AI assistant application. Prior to version 2026.2.15, the OpenClaw session tools (sessions_list, sessions_history, sessions_send) allowed broader session targeting than intended in shared-agent deployments. This configuration and visibility-scoping issue impacts multi-user environments where peers are not equally trusted, potentially exposing transcript content across peer sessions.

Additionally, in Telegram webhook mode, the monitor startup did not properly fall back to the per-account webhookSecret when only the account-level secret was configured, creating a potential secret wiring misconfiguration.

Critical Impact

In shared-agent, multi-user, less-trusted environments, session-tool access could expose transcript content across peer sessions, leading to unauthorized information disclosure between users.

Affected Products

  • OpenClaw versions prior to 2026.2.15
  • OpenClaw for Node.js deployments
  • OpenClaw Telegram webhook mode configurations

Discovery Timeline

  • 2026-02-20 - CVE-2026-27004 published to NVD
  • 2026-02-20 - Last updated in NVD database

Technical Details for CVE-2026-27004

Vulnerability Analysis

This vulnerability stems from improper visibility scoping in OpenClaw's session management tools. The session tools (sessions_list, sessions_history, sessions_send) lacked proper access control boundaries, allowing users in shared-agent deployments to access session data belonging to other users. This represents a classic broken access control pattern where the application fails to properly segment data access based on user context.

The vulnerability particularly affects multi-tenant or shared-agent configurations where multiple users interact with the same OpenClaw instance. In single-agent or fully trusted environments, the practical impact is limited since all users would already have equivalent access privileges.

A secondary issue exists in Telegram webhook mode where the secret fallback mechanism did not properly chain from monitor-level to account-level configuration, potentially leaving webhooks without proper authentication.

Root Cause

The root cause is an Information Exposure vulnerability (CWE-209) arising from insufficient visibility scoping in session tool implementations. The original code did not implement granular visibility controls, defaulting to overly permissive session access that could span across user boundaries in multi-user deployments.

Attack Vector

The attack vector is local, requiring an authenticated user within a shared OpenClaw deployment. An attacker with access to the shared agent could leverage the session tools to enumerate and retrieve transcript content from other users' sessions without proper authorization checks.

The fix introduces a SessionToolsVisibility type with four distinct visibility levels: self, tree, agent, and all. The patch implements proper resolution functions that clamp visibility based on sandbox context:

typescript
export type SessionToolsVisibility = "self" | "tree" | "agent" | "all";

export function resolveSessionToolsVisibility(cfg: OpenClawConfig): SessionToolsVisibility {
  const raw = (cfg.tools as { sessions?: { visibility?: unknown } } | undefined)?.sessions
    ?.visibility;
  const value = typeof raw === "string" ? raw.trim().toLowerCase() : "";
  if (value === "self" || value === "tree" || value === "agent" || value === "all") {
    return value;
  }
  return "tree";
}

export function resolveEffectiveSessionToolsVisibility(params: {
  cfg: OpenClawConfig;
  sandboxed: boolean;
}): SessionToolsVisibility {
  const visibility = resolveSessionToolsVisibility(params.cfg);
  if (!params.sandboxed) {
    return visibility;
  }
  const sandboxClamp = params.cfg.agents?.defaults?.sandbox?.sessionToolsVisibility ?? "spawned";
  if (sandboxClamp === "spawned" && visibility !== "tree") {
    return "tree";
  }
  return visibility;
}

Source: GitHub Commit Details

Detection Methods for CVE-2026-27004

Indicators of Compromise

  • Unusual patterns of sessions_list or sessions_history API calls from a single user targeting multiple session identifiers
  • Cross-user session access attempts in application logs
  • Unexpected session enumeration behavior in shared-agent deployments

Detection Strategies

  • Monitor OpenClaw session tool invocations for access patterns that span multiple user contexts
  • Review audit logs for sessions_list, sessions_history, and sessions_send tool usage
  • Implement alerting on session access requests that target sessions outside the requesting user's ownership tree

Monitoring Recommendations

  • Enable verbose logging for session tool operations in shared-agent deployments
  • Audit webhook secret configuration in Telegram mode to ensure proper fallback behavior
  • Monitor for configuration files missing explicit visibility scoping settings

How to Mitigate CVE-2026-27004

Immediate Actions Required

  • Upgrade OpenClaw to version 2026.2.15 or later immediately
  • Review shared-agent deployments to identify potentially affected environments
  • Audit session access logs to determine if unauthorized cross-session access has occurred
  • Verify Telegram webhook secret configuration includes explicit monitor-level overrides if applicable

Patch Information

OpenClaw version 2026.2.15 addresses this vulnerability by implementing proper session visibility scoping controls. The fix introduces a SessionToolsVisibility configuration option that allows administrators to explicitly define session access boundaries. The patch also corrects the webhook secret fallback mechanism in Telegram mode.

For detailed patch information, see the GitHub Security Advisory GHSA-6hf3-mhgc-cm65 and the commit implementing the fix.

Workarounds

  • Restrict shared-agent deployments to fully trusted user groups until the patch can be applied
  • Disable session tools (sessions_list, sessions_history, sessions_send) in multi-user environments if not required
  • Configure explicit webhookSecret overrides at the monitor level for Telegram deployments
bash
# Configuration example - Restricting session visibility in OpenClaw config
# Set session tools visibility to "self" to limit access to own sessions only
tools:
  sessions:
    visibility: "self"

# For Telegram webhook mode, ensure explicit webhook secret at monitor level
monitors:
  telegram:
    webhookSecret: "${MONITOR_WEBHOOK_SECRET}"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne