CVE-2026-26326

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.14

Description The skills.status function could reveal sensitive information to clients with operator.read access. This occurred because the function returned raw resolved config values within configChecks for skill requires.config paths. Specifically, the configChecks[].value element in the requirements report could expose secrets, such as Discord bot tokens, if a skill required a broad configuration subtree. The function is accessible via operator.read, allowing clients with read-only access to obtain secrets without needing operator.admin or config.* permissions. The API endpoint involved is skills.status. The vulnerable parameter is requires.config.

Recommendations Upgrade to OpenClaw version 2026.2.14 or later. Rotate any Discord tokens that may have been exposed to read-scoped clients.