Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
OpenClaw Exposes Telegram Bot Tokens in Error Messages
CVE-2026-27003
GHSA-chf7-jq6g-qrwv
Summary
OpenClaw, a library used in some applications, previously logged sensitive Telegram bot tokens in error messages. This could have allowed attackers to steal the tokens and take control of the bot. To fix the issue, update to the latest version of OpenClaw and consider changing your Telegram bot token.
What to do
- Update steipete openclaw to version 2026.2.15.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | <= 2026.2.15 | 2026.2.15 |
| openclaw | openclaw | <= 2026.2.15 | – |
Original title
OpenClaw: Telegram bot token exposure via logs
Original description
## Vulnerability
Telegram bot tokens can appear in error messages and stack traces (for example, when request URLs include `https://api.telegram.org/bot<token>/...`). OpenClaw previously logged these strings without redaction, which could leak the bot token into logs, crash reports, CI output, or support bundles.
## Impact
Disclosure of a Telegram bot token allows an attacker to impersonate the bot and take over Bot API access.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `<= 2026.2.14`
- Fixed: `>= 2026.2.15` (next release)
## Mitigation
- Upgrade to `openclaw >= 2026.2.15` when released.
- Rotate the Telegram bot token if it may have been exposed.
## Fix Commit(s)
- cf6990701b258bb9cc4ac7f6c7bdf05016e7f6e46
Thanks @aether-ai-agent for reporting.
Telegram bot tokens can appear in error messages and stack traces (for example, when request URLs include `https://api.telegram.org/bot<token>/...`). OpenClaw previously logged these strings without redaction, which could leak the bot token into logs, crash reports, CI output, or support bundles.
## Impact
Disclosure of a Telegram bot token allows an attacker to impersonate the bot and take over Bot API access.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `<= 2026.2.14`
- Fixed: `>= 2026.2.15` (next release)
## Mitigation
- Upgrade to `openclaw >= 2026.2.15` when released.
- Rotate the Telegram bot token if it may have been exposed.
## Fix Commit(s)
- cf6990701b258bb9cc4ac7f6c7bdf05016e7f6e46
Thanks @aether-ai-agent for reporting.
nvd CVSS3.1
5.5
nvd CVSS4.0
6.9
Vulnerability type
CWE-522
Insufficiently Protected Credentials
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026