CVE-2026-27004 in OpenClaw
Summary
by MITRE • 02/20/2026
OpenClaw is a personal AI assistant. Prior to version 2026.2.15, in some shared-agent deployments, OpenClaw session tools (`sessions_list`, `sessions_history`, `sessions_send`) allowed broader session targeting than some operators intended. This is primarily a configuration/visibility-scoping issue in multi-user environments where peers are not equally trusted. In Telegram webhook mode, monitor startup also did not fall back to per-account `webhookSecret` when only the account-level secret was configured. In shared-agent, multi-user, less-trusted environments: session-tool access could expose transcript content across peer sessions. In single-agent or trusted environments, practical impact is limited. In Telegram webhook mode, account-level secret wiring could be missed unless an explicit monitor webhook secret override was provided. Version 2026.2.15 fixes the issue.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/22/2026
The vulnerability described in CVE-2026-27004 affects OpenClaw, a personal AI assistant system that operates in both single-agent and shared-agent deployment configurations. This security issue manifests primarily in multi-user environments where trust levels among participants vary significantly, creating potential exposure risks for sensitive session data. The flaw exists in the session management tools including sessions_list, sessions_history, and sessions_send functionalities that were designed to limit session targeting scope but failed to properly enforce access controls in shared-agent deployments. This represents a configuration and visibility scoping issue that directly relates to the principle of least privilege, where users may access session data beyond their intended scope of authorization.
The technical implementation of this vulnerability stems from improper access control enforcement within the shared-agent architecture. When multiple users operate within the same OpenClaw instance, the system should restrict session tool access to prevent cross-contamination of session data between different users. However, the vulnerability allows for broader session targeting than intended, potentially enabling unauthorized users to access transcript content from peer sessions. This issue is particularly concerning in less-trusted environments where operators cannot fully trust all participants in the system. The problem extends to the Telegram webhook mode implementation where the monitor startup process fails to properly fall back to per-account webhookSecret configurations when only account-level secrets are configured, creating potential authentication bypass scenarios.
The operational impact of this vulnerability varies significantly based on deployment environment and trust model. In single-agent or fully trusted environments, the practical impact remains limited since all participants are considered equally trustworthy and the risk of data exposure is minimal. However, in shared-agent deployments with multiple users and varying trust levels, the vulnerability creates substantial risk for session data confidentiality. The exposure of transcript content across peer sessions represents a direct violation of user privacy and could lead to sensitive information leakage. The Telegram webhook mode configuration issue compounds the problem by potentially allowing unauthorized access to webhook endpoints when account-level secrets are improperly handled, creating additional attack vectors for malicious actors to exploit.
The vulnerability directly relates to CWE-284, which addresses improper access control in software systems, and aligns with ATT&CK technique T1078 for valid accounts and T1566 for social engineering. The fix implemented in version 2026.2.15 addresses both the session tool access control limitations and the webhook secret fallback mechanism. Organizations should implement proper configuration management to ensure that account-level secrets are correctly wired and that session tool access is properly scoped based on user roles and trust levels. The remediation requires careful attention to multi-user deployment configurations and proper implementation of access control mechanisms. Security teams should review existing deployments to ensure that shared-agent environments are properly configured to prevent cross-session data exposure and that webhook security configurations are correctly implemented to avoid authentication bypass scenarios. The vulnerability highlights the critical importance of proper access control implementation in multi-user AI assistant systems where data privacy and user confidentiality are paramount considerations.