CVE-2026-27003

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-27003
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27003.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-27003
Aliases
Published
2026-02-19T23:14:10.200Z
Modified
2026-03-03T01:05:24.676509Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
OpenClaw: Telegram bot token exposure via logs
Details

OpenClaw is a personal AI assistant. Telegram bot tokens can appear in error messages and stack traces (for example, when request URLs include https://api.telegram.org/bot<token>/...). Prior to version 2026.2.15, OpenClaw logged these strings without redaction, which could leak the bot token into logs, crash reports, CI output, or support bundles. Disclosure of a Telegram bot token allows an attacker to impersonate the bot and take over Bot API access. Users should upgrade to version 2026.2.15 to obtain a fix and rotate the Telegram bot token if it may have been exposed.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27003.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-522"
    ]
}
References

Affected packages

Git / github.com/openclaw/openclaw

Affected ranges

Type
GIT
Repo
https://github.com/openclaw/openclaw
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
ea487f05c1763f170381b6fcff73b0fea0fd12d5

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27003.json"