CVE-2026-26326
- Source
- https://cve.org/CVERecord?id=CVE-2026-26326
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26326.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-26326
- Aliases
- Published
- 2026-02-19T22:55:53.292Z
- Modified
- 2026-02-25T07:42:13.588545Z
- Severity
-
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- OpenClaw skills.status could leak secrets to operator.read clients
- Details
-
OpenClaw is a personal AI assistant. Prior to version 2026.2.14,
skills.statuscould disclose secrets tooperator.readclients by returning raw resolved config values inconfigChecksfor skillrequires.configpaths. Version 2026.2.14 stops including raw resolved config values in requirement checks (return only{ path, satisfied }) and narrows the Discord skill requirement to the token key. In addition to upgrading, users should rotate any Discord tokens that may have been exposed to read-scoped clients. - Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-200" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26326.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26326.json
- https://github.com/openclaw/openclaw/commit/d3428053d95eefbe10ecf04f92218ffcba55ae5a
- https://github.com/openclaw/openclaw/commit/ebc68861a61067fc37f9298bded3eec9de0ba783
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.14
- https://github.com/openclaw/openclaw/security/advisories/GHSA-8mh7-phf8-xgfm
- https://nvd.nist.gov/vuln/detail/CVE-2026-26326
Affected packages
Git / github.com/openclaw/openclaw
Affected ranges
- Type
- GIT
- Repo
- https://github.com/openclaw/openclaw
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v0.*
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v1.*
v1.0.4
v1.1.0
v1.2.0
v1.2.1
v1.2.2
v1.3.0
v2.*
v2.0.0-beta1
v2.0.0-beta2
v2.0.0-beta3
v2.0.0-beta4
v2.0.0-beta5
v2026.*
v2026.1.10
v2026.1.11
v2026.1.11-1
v2026.1.11-2
v2026.1.11-3
v2026.1.12
v2026.1.12-2
v2026.1.13
v2026.1.14-1
v2026.1.15
v2026.1.16-2
v2026.1.20
v2026.1.21
v2026.1.22
v2026.1.23
v2026.1.24
v2026.1.24-1
v2026.1.29
v2026.1.30
v2026.1.5
v2026.1.5-1
v2026.1.5-2
v2026.1.5-3
v2026.1.8
v2026.1.9
v2026.2.1
v2026.2.12
v2026.2.13
v2026.2.2
v2026.2.3
v2026.2.6
v2026.2.6-1
v2026.2.6-2
v2026.2.6-3
v2026.2.9