CVE-2026-27004
- Source
- https://cve.org/CVERecord?id=CVE-2026-27004
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27004.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-27004
- Aliases
- Published
- 2026-02-19T23:18:47.555Z
- Modified
- 2026-04-02T13:19:35.179422Z
- Severity
-
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- OpenClaw session tool visibility hardening and Telegram webhook secret fallback
- Details
-
OpenClaw is a personal AI assistant. Prior to version 2026.2.15, in some shared-agent deployments, OpenClaw session tools (
sessions_list,sessions_history,sessions_send) allowed broader session targeting than some operators intended. This is primarily a configuration/visibility-scoping issue in multi-user environments where peers are not equally trusted. In Telegram webhook mode, monitor startup also did not fall back to per-accountwebhookSecretwhen only the account-level secret was configured. In shared-agent, multi-user, less-trusted environments: session-tool access could expose transcript content across peer sessions. In single-agent or trusted environments, practical impact is limited. In Telegram webhook mode, account-level secret wiring could be missed unless an explicit monitor webhook secret override was provided. Version 2026.2.15 fixes the issue. - Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27004.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-209", "CWE-346" ] }- References
Affected packages
Git / github.com/openclaw/openclaw
Affected ranges
- Type
- GIT
- Repo
- https://github.com/openclaw/openclaw
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed