Description
OpenClaw is a personal AI assistant. Prior to version 2026.2.14, `skills.status` could disclose secrets to `operator.read` clients by returning raw resolved config values in `configChecks` for skill `requires.config` paths. Version 2026.2.14 stops including raw resolved config values in requirement checks (return only `{ path, satisfied }`) and narrows the Discord skill requirement to the token key. In addition to upgrading, users should rotate any Discord tokens that may have been exposed to read-scoped clients.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/openclaw/openclaw/security/advisories/GHSA-8mh7-phf8-xgfm
Patch x_refsource_misc
https://github.com/openclaw/openclaw/commit/d3428053d95eefbe10ecf04f92218ffcba55ae5a
Patch x_refsource_misc
https://github.com/openclaw/openclaw/commit/ebc68861a61067fc37f9298bded3eec9de0ba783
Release Notes x_refsource_misc
https://github.com/openclaw/openclaw/releases/tag/v2026.2.14
Scores
CVSS v3
4.3
EPSS
0.0030
EPSS Percentile
21.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (2)
npm/openclaw
0 - 2026.2.14npm
openclaw/openclaw
< 2026.2.14
Published
Feb 19, 2026
Tracked Since
Feb 20, 2026