GHSA-8mh7-phf8-xgfm
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8mh7-phf8-xgfm
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-8mh7-phf8-xgfm/GHSA-8mh7-phf8-xgfm.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-8mh7-phf8-xgfm
- Aliases
- Published
- 2026-02-17T21:43:41Z
- Modified
- 2026-02-20T16:52:36.277807Z
- Severity
-
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- OpenClaw skills.status could leak secrets to operator.read clients
- Details
-
Summary
skills.statuscould disclose secrets tooperator.readclients by returning raw resolved config values inconfigChecksfor skillrequires.configpaths.Affected Packages / Versions
- Package:
openclaw(npm) - Affected:
<= 2026.2.13 - Patched:
2026.2.14
Details
The gateway method
skills.statusreturned a requirements report that includedconfigChecks[].value(the resolved value for eachrequires.configentry). If a skill required a broad config subtree (for examplechannels.discord), the report could include secrets such as Discord bot tokens.skills.statusis callable withoperator.read, so read-scoped clients could obtain secrets withoutoperator.admin/config.*access.Fix
- Stop including raw resolved config values in requirement checks (return only
{ path, satisfied }). - Narrow the Discord skill requirement to the token key.
Fix commit(s):
- d3428053d95eefbe10ecf04f92218ffcba55ae5a
- ebc68861a61067fc37f9298bded3eec9de0ba783
Mitigation
Rotate any Discord tokens that may have been exposed to read-scoped clients.
Thanks @simecek for reporting.
Fix commits d3428053d95eefbe10ecf04f92218ffcba55ae5a and ebc68861a61067fc37f9298bded3eec9de0ba783 confirmed on main and in v2026.2.14. Upgrade to
openclaw >= 2026.2.14. - Package:
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-02-17T21:43:41Z", "cwe_ids": [ "CWE-200" ], "severity": "MODERATE", "nvd_published_at": "2026-02-19T23:16:25Z" }- References
-
- https://github.com/openclaw/openclaw/security/advisories/GHSA-8mh7-phf8-xgfm
- https://nvd.nist.gov/vuln/detail/CVE-2026-26326
- https://github.com/openclaw/openclaw/commit/d3428053d95eefbe10ecf04f92218ffcba55ae5a
- https://github.com/openclaw/openclaw/commit/ebc68861a61067fc37f9298bded3eec9de0ba783
- https://github.com/openclaw/openclaw
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.14
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw