PT-2026-20791 · Telegram+1 · Telegram Bot Api+1

Aether-Ai-Agent

Published

2026-02-18

Updated

2026-03-01

CVE-2026-27003

CVSS v4.0

6.9

Medium

Vector

AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.15

Description The application logs Telegram bot tokens without redaction when they appear in error messages or stack traces, such as in request URLs including https://api.telegram.org/bot<token>/.... This can lead to the leakage of the bot token into logs, crash reports, CI output, or support bundles. Disclosure of a Telegram bot token allows an attacker to impersonate the bot and gain full Bot API access.

Recommendations Upgrade to version 2026.2.15 or later. Rotate the Telegram bot token if it may have been exposed.

Exploit

Fix

Insufficiently Protected Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-522

Related Identifiers

CVE-2026-27003

GHSA-CHF7-JQ6G-QRWV

Affected Products

Openclaw

Telegram Bot Api

PT-2026-20791 · Telegram+1 · Telegram Bot Api+1

CVE-2026-27003

Weakness Enumeration

Related Identifiers

Affected Products

References · 9