CVE-2026-33572

HIGH

OpenClaw < 2026.2.17 - Insufficient File Permissions in Session Transcript Files

Title source: cna

Description

OpenClaw before 2026.2.17 creates session transcript JSONL files with overly broad default permissions, allowing local users to read transcript contents. Attackers with local access can read transcript files to extract sensitive information including secrets from tool output.

References (3)

[Third Party Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-vr7j-g7jv-h5mp

[Patch] https://github.com/openclaw/openclaw/commit/095d522099653367e1b76fa5bb09d4ddf7c8a57c

View Patch ZIP pw:eip

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-insufficient-file-permissions-in-session-transcript-files

Scores

CVSS v3 8.4

EPSS 0.0001

EPSS Percentile 2.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-378

Status published

Products (4)

npm/openclaw 0 - 2026.2.17npm

OpenClaw/OpenClaw < 2026.2.17

openclaw/openclaw < 2026.2.17

OpenClaw/OpenClaw 2026.2.17

Published Mar 29, 2026

Tracked Since Mar 29, 2026