CVE-2026-27003
EPSS 0.01%OpenClaw: Telegram bot token exposure via logs
描述
## Vulnerability Telegram bot tokens can appear in error messages and stack traces (for example, when request URLs include `https://api.telegram.org/bot<token>/...`). OpenClaw previously logged these strings without redaction, which could leak the bot token into logs, crash reports, CI output, or support bundles. ## Impact Disclosure of a Telegram bot token allows an attacker to impersonate the bot and take over Bot API access. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected: `<= 2026.2.14` - Fixed: `>= 2026.2.15` (next release) ## Mitigation - Upgrade to `openclaw >= 2026.2.15` when released. - Rotate the Telegram bot token if it may have been exposed. ## Fix Commit(s) - cf6990701b258bb9cc4ac7f6c7bdf05016e7f6e46 Thanks @aether-ai-agent for reporting.
受影響套件(1)
- npm/openclawfrom 0, < 2026.2.15
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |