PT-2026-28780 · Npm · Openclaw
Publicado
2026-03-16
·
Atualizado
2026-03-16
CVSS v4.0
6.9
Média
| Vetor | AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Summary
openclaw versions <= 2026.3.12 could include raw Telegram bot tokens in media fetch error strings when inbound Telegram media downloads failed.Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.3.12 - Fixed version:
2026.3.13
Details
The vulnerable path was
fetchRemoteMedia() in src/media/fetch.ts. In affected releases, fetch and HTTP error paths embedded the original Telegram file URL into MediaFetchError messages. For Telegram media, those URLs can include /file/bot<TOKEN>/..., so the resulting error strings could leak bot tokens into logs, console output, or any downstream error surface that rendered the exception text.This issue is in scope under OpenClaw's trust model because the leaked secret is an OpenClaw-operated integration credential, not a user-supplied third-party secret.
Fix
openclaw@2026.3.13 redacts sensitive media URLs before constructing fetch error messages. Current code routes the source URL and follow-on error paths through redactMediaUrl() / redactSensitiveText(), so Telegram bot tokens are no longer emitted in those error strings.Regression coverage exists in
src/media/fetch.test.ts (redacts Telegram bot tokens from fetch failure messages and redacts Telegram bot tokens from HTTP error messages).Fix Commit(s)
7a53eb7ea8295b08be137e231c9a98c1a79b5cd5
Thanks @space08 for reporting.
Correção
Insertion into Log File
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Openclaw