CVE-2026-33572

HIGH8.4

OpenClaw < 2026.2.17 - Insufficient File Permissions in Session Transcript Files

Published Mar 29, 2026

Modified 4 weeks ago

Details

OpenClaw before 2026.2.17 creates session transcript JSONL files with overly broad default permissions, allowing local users to read transcript contents. Attackers with local access can read transcript files to extract sensitive information including secrets from tool output.

References

FIX

https://github.com/openclaw/openclaw/commit/095d522099653367e1b76fa5bb09d4ddf7c8a57c

ADVISORY

https://github.com/openclaw/openclaw/security/advisories/GHSA-vr7j-g7jv-h5mp

ADVISORY

https://www.cve.org/CVERecord?id=CVE-2026-33572

ADVISORY

https://www.vulncheck.com/advisories/openclaw-insufficient-file-permissions-in-session-transcript-files

CVSS Analysis

CVSS v4.0

6.8