CVE-2026-26326

OpenClaw is a personal AI assistant. Prior to version 2026.2.14, `skills.status` could disclose secrets to `operator.read` clients by returning raw resolved config values in `configChecks` for skill `requires.config` paths. Version 2026.2.14 stops including raw resolved config values in requirement checks (return only `{ path, satisfied }`) and narrows the Discord skill requirement to the token key. In addition to upgrading, users should rotate any Discord tokens that may have been exposed to read-scoped clients.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/openclaw/openclaw/commit/d3428053d95eefbe10ecf04f92218ffcba55ae5a	Patch
https://github.com/openclaw/openclaw/commit/ebc68861a61067fc37f9298bded3eec9de0ba783	Patch
https://github.com/openclaw/openclaw/releases/tag/v2026.2.14	Product Release Notes
https://github.com/openclaw/openclaw/security/advisories/GHSA-8mh7-phf8-xgfm	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

History

23 Feb 2026, 13:46

Type	Values Removed	Values Added
References	~~() https://github.com/openclaw/openclaw/commit/d3428053d95eefbe10ecf04f92218ffcba55ae5a -~~	() https://github.com/openclaw/openclaw/commit/d3428053d95eefbe10ecf04f92218ffcba55ae5a - Patch
References	~~() https://github.com/openclaw/openclaw/commit/ebc68861a61067fc37f9298bded3eec9de0ba783 -~~	() https://github.com/openclaw/openclaw/commit/ebc68861a61067fc37f9298bded3eec9de0ba783 - Patch
References	~~() https://github.com/openclaw/openclaw/releases/tag/v2026.2.14 -~~	() https://github.com/openclaw/openclaw/releases/tag/v2026.2.14 - Product, Release Notes
References	~~() https://github.com/openclaw/openclaw/security/advisories/GHSA-8mh7-phf8-xgfm -~~	() https://github.com/openclaw/openclaw/security/advisories/GHSA-8mh7-phf8-xgfm - Patch, Vendor Advisory
First Time		Openclaw openclaw Openclaw
Summary		(es) OpenClaw es un asistente personal de IA. Antes de la versión 2026.2.14, `skills.status` podría divulgar secretos a clientes de `operator.read` al devolver valores de configuración resueltos en bruto en `configChecks` para las rutas `requires.config` de la habilidad. La versión 2026.2.14 deja de incluir valores de configuración resueltos en bruto en las comprobaciones de requisitos (devuelve solo `{ path, satisfied }`) y restringe el requisito de la habilidad de Discord a la clave del token. Además de actualizar, los usuarios deberían rotar cualquier token de Discord que pueda haber sido expuesto a clientes con ámbito de lectura.
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.3
CPE		cpe:2.3:a:openclaw:openclaw::::::node.js::*

19 Feb 2026, 23:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-19 23:16

Updated : 2026-02-23 13:46

NVD link : CVE-2026-26326

Mitre link : CVE-2026-26326

CVE.ORG link : CVE-2026-26326

JSON object : View

Products Affected

openclaw

openclaw

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

4.3 /10