CVE-2026-33572
HIGHOpenClaw < 2026.2.17 - Insufficient File Permissions in Session Transcript Files
Title source: cnaDescription
OpenClaw before 2026.2.17 creates session transcript JSONL files with overly broad default permissions, allowing local users to read transcript contents. Attackers with local access can read transcript files to extract sensitive information including secrets from tool output.
References (3)
Core 3
Core References
Third Party Advisory vendor-advisory
GitHub Security Advisory (GHSA-vr7j-g7jv-h5mp)
https://github.com/openclaw/openclaw/security/advisories/GHSA-vr7j-g7jv-h5mp
Patch patch
Patch Commit
https://github.com/openclaw/openclaw/commit/095d522099653367e1b76fa5bb09d4ddf7c8a57c
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenClaw < 2026.2.17 - Insufficient File Permissions in Session Transcript Files
https://www.vulncheck.com/advisories/openclaw-insufficient-file-permissions-in-session-transcript-files
Scores
CVSS v3
8.4
EPSS
0.0012
EPSS Percentile
2.2%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-378
Status
published
Products (4)
npm/openclaw
0 - 2026.2.17npm
OpenClaw/OpenClaw
< 2026.2.17
openclaw/openclaw
< 2026.2.17
OpenClaw/OpenClaw
2026.2.17
Published
Mar 29, 2026
Tracked Since
Mar 29, 2026