CVE-2026-27004
Improper Access Control in OpenClaw Sessions Exposes Transcripts
Publication date: 2026-02-20
Last updated on: 2026-02-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.2.15 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-209 | The product generates an error message that includes sensitive information about its environment, users, or associated data. |
| CWE-346 | The product does not properly verify that the source of data or communication is valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in OpenClaw prior to version 2026.2.15 involves session tools such as sessions_list, sessions_history, and sessions_send allowing broader session targeting than intended in shared-agent, multi-user deployments. This is mainly due to insufficient configuration and visibility scoping, which can lead to unauthorized exposure of session transcript content across peer sessions in environments where users are not equally trusted.
Additionally, in Telegram webhook mode, the monitor startup process did not properly fallback to the per-account webhookSecret when only the account-level secret was configured, potentially causing secret mismanagement.
The fix introduced a configuration parameter, tools.sessions.visibility, which restricts session tool access by default to the current session and its spawned subagent sessions (tree visibility), preventing cross-session data leakage. It also enforces sandbox clamping to restrict sandboxed sessions to spawned session visibility and ensures proper fallback handling of Telegram webhook secrets.
How can this vulnerability impact me? :
In multi-user, less-trusted environments using shared-agent deployments, this vulnerability can lead to unauthorized access to session transcript content across peer sessions, exposing potentially sensitive information to unintended users.
In single-agent or trusted environments, the practical impact is limited.
In Telegram webhook mode, improper handling of webhook secrets could lead to secret mismanagement, potentially allowing unauthorized access or misuse of webhook integrations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves verifying the configuration of OpenClaw session tools and their visibility scope to ensure they are not exposing broader session data than intended.'}, {'type': 'paragraph', 'content': 'Specifically, check the value of the configuration parameter `tools.sessions.visibility`. It should be set to "tree" or a more restrictive scope to prevent unauthorized session access.'}, {'type': 'paragraph', 'content': 'Commands or steps to detect the vulnerability might include:'}, {'type': 'list_item', 'content': 'Inspect the OpenClaw configuration file or environment for the `tools.sessions.visibility` setting.'}, {'type': 'list_item', 'content': 'Use OpenClaw session tools such as `sessions_list`, `sessions_history`, and `sessions_send` to test if session data from unrelated sessions or agents is accessible.'}, {'type': 'list_item', 'content': 'In Telegram webhook mode, verify that the monitor startup correctly uses the per-account `webhookSecret` fallback if no explicit override is provided.'}, {'type': 'paragraph', 'content': 'No explicit command-line commands are provided in the resources, but these configuration checks and session tool usage tests are the recommended approach.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'To mitigate this vulnerability immediately, upgrade OpenClaw to version 2026.2.15 or later where the issue is fixed.'}, {'type': 'paragraph', 'content': 'Additionally, configure the `tools.sessions.visibility` parameter to "tree" or a more restrictive setting to limit session tool access to the current session and its spawned subagent sessions.'}, {'type': 'paragraph', 'content': 'Ensure that sandboxed sessions have the visibility clamp enforced, preventing them from accessing sessions outside their spawn tree.'}, {'type': 'paragraph', 'content': 'In Telegram webhook mode, verify that the monitor startup process correctly falls back to the per-account `webhookSecret` if no explicit override is provided, to avoid secret mismanagement.'}, {'type': 'paragraph', 'content': 'Review and update your deployment configuration to enforce these settings and prevent unauthorized session transcript exposure.'}] [1, 2]