CVE-2026-33572 Overview
CVE-2026-33572 is an insecure permissions vulnerability in OpenClaw, a Node.js-based application. OpenClaw before version 2026.2.17 creates session transcript JSONL files with overly broad default permissions, allowing local users to read transcript contents. Attackers with local access can read transcript files to extract sensitive information including secrets from tool output.
Critical Impact
Local attackers can access session transcript files containing sensitive data, including secrets and tool output, due to improper file permission settings during file creation.
Affected Products
- OpenClaw versions prior to 2026.2.17
- OpenClaw Node.js package (cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*)
Discovery Timeline
- 2026-03-29 - CVE-2026-33572 published to NVD
- 2026-03-31 - Last updated in NVD database
Technical Details for CVE-2026-33572
Vulnerability Analysis
This vulnerability stems from insecure default file permissions when creating session transcript files. OpenClaw uses JSONL (JSON Lines) format to store session transcripts, which may contain sensitive information such as authentication tokens, API keys, and other secrets exposed through tool output during sessions.
When the application creates these transcript files, it uses the default system umask rather than explicitly setting restrictive permissions. This results in files that are potentially world-readable or group-readable depending on the system's default configuration, violating the principle of least privilege.
The vulnerability is classified under CWE-378 (Creation of Temporary File With Insecure Permissions), indicating a failure to properly secure files during the creation process.
Root Cause
The root cause is the omission of explicit file permission settings when writing session transcript files. The original code used fs.promises.writeFile() and fs.writeFileSync() without specifying the mode option, causing the file to inherit permissions based on the process umask. This meant that transcript files containing potentially sensitive session data could be read by any local user on shared systems.
Attack Vector
The attack vector is local, requiring an attacker to have local access to the system where OpenClaw is running. The exploitation path involves:
- An attacker identifies the location where OpenClaw stores session transcript files
- The attacker reads the transcript files that were created with overly permissive settings
- Sensitive information including secrets, API keys, or other confidential data from tool output is extracted from the JSONL transcript contents
// Vulnerable code pattern (before fix)
// Source: https://github.com/openclaw/openclaw/commit/095d522099653367e1b76fa5bb09d4ddf7c8a57c
timestamp: new Date().toISOString(),
cwd: process.cwd(),
};
- await fs.promises.writeFile(params.sessionFile, `${JSON.stringify(header)}\n`, "utf-8");
+ await fs.promises.writeFile(params.sessionFile, `${JSON.stringify(header)}\n`, {
+ encoding: "utf-8",
+ mode: 0o600,
+ });
}
The fix explicitly sets mode: 0o600 which restricts file access to the owner only (read/write for owner, no access for group or others).
Detection Methods for CVE-2026-33572
Indicators of Compromise
- Session transcript files with permissions more permissive than 0600 (e.g., 0644, 0664, or 0666)
- Unusual read access patterns to OpenClaw transcript directories by non-owner users
- Evidence of transcript file enumeration by unprivileged local users
Detection Strategies
- Audit file permissions on existing OpenClaw session transcript files using find commands with permission filters
- Monitor file access logs for unauthorized reads of transcript files in OpenClaw's session storage directory
- Implement file integrity monitoring (FIM) to alert on permission changes to sensitive transcript directories
Monitoring Recommendations
- Configure audit rules to track read operations on transcript file directories
- Monitor for processes spawned by non-standard users attempting to access OpenClaw storage paths
- Review access control logs on shared systems where OpenClaw operates
How to Mitigate CVE-2026-33572
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.17 or later which includes the security fix
- Audit and correct permissions on existing session transcript files using chmod 600
- Review transcript files for sensitive data exposure and rotate any compromised credentials
Patch Information
The vulnerability has been addressed in the official security patch. The fix adds explicit mode: 0o600 permissions when creating session transcript files, ensuring only the file owner can read or write the contents.
For detailed patch information, refer to the GitHub Commit and the GitHub Security Advisory.
Workarounds
- Set a restrictive umask (e.g., umask 077) for the user running OpenClaw processes
- Restrict transcript directory permissions to prevent access by other local users
- Run OpenClaw in an isolated environment or container where local user access is controlled
# Fix permissions on existing transcript files
find /path/to/openclaw/transcripts -type f -name "*.jsonl" -exec chmod 600 {} \;
# Set restrictive umask before running OpenClaw
umask 077
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
