CVE-2026-33572

HIGH CVSS 8.4 View on NVD ↗

Description

OpenClaw before 2026.2.17 creates session transcript JSONL files with overly broad default permissions, allowing local users to read transcript contents. Attackers with local access can read transcript files to extract sensitive information including secrets from tool output.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

https://github.com/openclaw/openclaw/commit/095d522099653367e1b76fa5bb09d4ddf7c8a57c
https://github.com/openclaw/openclaw/security/advisories/GHSA-vr7j-g7jv-h5mp
https://www.vulncheck.com/advisories/openclaw-insufficient-file-permissions-in-session-transcript-files

Published: Mar 29, 2026 13:17 UTC Modified: Mar 29, 2026 13:17 UTC