CVE-2026-33572

medium

Description

OpenClaw before 2026.2.17 creates session transcript JSONL files with overly broad default permissions, allowing local users to read transcript contents. Attackers with local access can read transcript files to extract sensitive information including secrets from tool output.

References

https://www.vulncheck.com/advisories/openclaw-insufficient-file-permissions-in-session-transcript-files

https://github.com/openclaw/openclaw/security/advisories/GHSA-vr7j-g7jv-h5mp

https://github.com/openclaw/openclaw/commit/095d522099653367e1b76fa5bb09d4ddf7c8a57c

Details

Source: Mitre, NVD

Published: 2026-03-29

Updated: 2026-03-29

Risk Information

CVSS v2

Base Score: 7.2

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 8.4

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: High

CVSS v4

Base Score: 6.8

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Severity: Medium