GHSA-vr7j-g7jv-h5mp

Suggest an improvement
Source
https://github.com/advisories/GHSA-vr7j-g7jv-h5mp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-vr7j-g7jv-h5mp/GHSA-vr7j-g7jv-h5mp.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-vr7j-g7jv-h5mp
Aliases
  • CVE-2026-33572
Downstream
Published
2026-03-16T20:41:51Z
Modified
2026-04-06T23:06:42.649114Z
Severity
  • 5.7 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
OpenClaw session transcript files were created without forced user-only permissions
Details

openclaw created new session transcript JSONL files with overly broad default permissions in affected releases. On multi-user hosts, other local users or processes could read transcript contents, including secrets that might appear in tool output.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: <= 2026.2.15
  • First fixed version: 2026.2.17
  • Current latest npm release checked during verification: 2026.3.13 (not affected)

Impact

Session transcript JSONL files are created under the local OpenClaw session store. In affected releases, newly created transcript files did not force user-only permissions, so transcript contents could be readable by other local users depending on the host environment and umask behavior.

Fix

New transcript files are now created with 0o600 permissions. Existing transcript permission drift is also remediated by the security audit fix flow.

Verified in code:

  • src/config/sessions/transcript.ts:82 writes new transcript files with mode: 0o600
  • src/config/sessions/sessions.test.ts:303 includes regression coverage asserting 0o600

Fix Commit(s)

  • 095d522099653367e1b76fa5bb09d4ddf7c8a57c

Release Note

This fix first shipped in 2026.2.17 and is present in the current npm release 2026.3.13.

Database specific 
{
    "nvd_published_at": null,
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-276",
        "CWE-732"
    ],
    "github_reviewed_at": "2026-03-16T20:41:51Z"
}
References

Affected packages

npm / openclaw

Package

Name
openclaw
View open source insights on deps.dev
Purl
pkg:npm/openclaw

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2026.2.17

Database specific

last_known_affected_version_range 
"<= 2026.2.15"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-vr7j-g7jv-h5mp/GHSA-vr7j-g7jv-h5mp.json"