PT-2026-28776 — Incorrect Default Permissions in Npm Openclaw

PT-2026-28776 · Npm · Openclaw

Published

2026-03-16

Updated

2026-03-16

CVSS v4.0

5.7

Medium

Vector

AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

openclaw created new session transcript JSONL files with overly broad default permissions in affected releases. On multi-user hosts, other local users or processes could read transcript contents, including secrets that might appear in tool output.

Affected Packages / Versions

Package: openclaw (npm)
Affected versions: <= 2026.2.15
First fixed version: 2026.2.17
Current latest npm release checked during verification: 2026.3.13 (not affected)

Impact

Session transcript JSONL files are created under the local OpenClaw session store. In affected releases, newly created transcript files did not force user-only permissions, so transcript contents could be readable by other local users depending on the host environment and umask behavior.

Fix

New transcript files are now created with 0o600 permissions. Existing transcript permission drift is also remediated by the security audit fix flow.

Verified in code:

src/config/sessions/transcript.ts:82 writes new transcript files with mode: 0o600
src/config/sessions/sessions.test.ts:303 includes regression coverage asserting 0o600

Fix Commit(s)

095d522099653367e1b76fa5bb09d4ddf7c8a57c

Release Note

This fix first shipped in 2026.2.17 and is present in the current npm release 2026.3.13.

Fix

Incorrect Default Permissions

Incorrect Permission

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-276CWE-732

Related Identifiers

GHSA-VR7J-G7JV-H5MP

Affected Products

Openclaw