CVE-2026-33572

HIGH NVD

CVSS Score 8.4

Severity HIGH

Published Mar 29, 2026

Vendor unknown

Description

OpenClaw before 2026.2.17 creates session transcript JSONL files with overly broad default permissions, allowing local users to read transcript contents. Attackers with local access can read transcript files to extract sensitive information including secrets from tool output.

References

https://github.com/openclaw/openclaw/commit/095d522099653367e1b76fa5bb09d4ddf7c8a57c
https://github.com/openclaw/openclaw/security/advisories/GHSA-vr7j-g7jv-h5mp
https://www.vulncheck.com/advisories/openclaw-insufficient-file-permissions-in-session-transcript-files