Executive Summary

This vulnerability affects the OpenClaw personal AI assistant, specifically versions up to 2026.2.14. When OpenClaw processes request URLs containing Telegram bot tokens in the format https://api.telegram.org/bot<token>/..., it logged these tokens in error messages, stack traces, crash reports, CI outputs, or support bundles without redacting them.

Because these tokens are sensitive credentials, their exposure in logs or error outputs can lead to unauthorized access. An attacker who obtains a Telegram bot token can impersonate the bot and take over its Bot API access.

The vulnerability was fixed in version 2026.2.15 by implementing redaction of Telegram bot tokens from error messages and stack traces to prevent accidental leakage.

Useful 0 Not Useful 0

Impact Analysis

If your Telegram bot token is exposed due to this vulnerability, an attacker can impersonate your bot by using the leaked token.

This unauthorized access allows the attacker to control the bot, potentially sending messages, accessing data, or performing actions on behalf of the bot.

Such a compromise can lead to loss of trust, unauthorized data access, and disruption of services that rely on the bot.

To mitigate this risk, users should upgrade to OpenClaw version 2026.2.15 or later and rotate any Telegram bot tokens that may have been exposed.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by searching your logs, error messages, stack traces, crash reports, CI outputs, or support bundles for exposed Telegram bot tokens. These tokens appear in URLs in the format https://api.telegram.org/bot<token>/..., where <token> is a numeric ID followed by a colon and a 20+ character alphanumeric string.'}, {'type': 'paragraph', 'content': 'You can use commands to search for these tokens in your log files or outputs. For example, using grep on Linux or Unix systems:'}, {'type': 'list_item', 'content': "grep -rE 'bot[0-9]{6,}:[A-Za-z0-9_-]{20,}' /path/to/logs"}, {'type': 'list_item', 'content': 'This command recursively searches files in the specified directory for strings matching the Telegram bot token pattern.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring error messages or stack traces that include URLs with the bot token pattern can help detect exposure.'}] [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade OpenClaw to version 2026.2.15 or later, which includes a fix that redacts Telegram bot tokens from error messages and stack traces to prevent leakage.

If you suspect that your Telegram bot token has been exposed in logs or error outputs, you should rotate the Telegram bot token to invalidate the compromised token and prevent unauthorized access.

Useful 0 Not Useful 0