PT-2026-20967 · Openclaw · Openclaw

Aether-Ai-Agent

·

Published

2026-02-18

·

Updated

2026-02-20

·

CVE-2026-27004

CVSS v4.0

6.9

Medium

VectorAV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.15
Description OpenClaw is a personal AI assistant. In shared-agent deployments, prior to version 2026.2.15, session tools (sessions list, sessions history, sessions send) permitted broader session targeting than intended by some operators. This is a configuration and visibility-scoping issue in multi-user environments where peers are not equally trusted, potentially exposing transcript content across peer sessions. In Telegram webhook mode, monitor startup did not fall back to per-account webhookSecret when only the account-level secret was configured.
Recommendations Update OpenClaw to version 2026.2.15 or later.

Exploit

Fix

Origin Validation Error

Generation of Error Message Containing Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-27004
GHSA-6HF3-MHGC-CM65

Affected Products

Openclaw