We use cookies to improve your experience on our site.
AVID-2026-R0230
Description
OpenClaw skills.status could leak secrets to operator.read clients (CVE-2026-26326)
Details
OpenClaw is a personal AI assistant. Prior to version 2026.2.14, skills.status could disclose secrets to operator.read clients by returning raw resolved config values in configChecks for skill requires.config paths. Version 2026.2.14 stops including raw resolved config values in requirement checks (return only { path, satisfied }) and narrows the Discord skill requirement to the token key. In addition to upgrading, users should rotate any Discord tokens that may have been exposed to read-scoped clients.
References
- NVD entry
- https://github.com/openclaw/openclaw/security/advisories/GHSA-8mh7-phf8-xgfm
- https://github.com/openclaw/openclaw/commit/d3428053d95eefbe10ecf04f92218ffcba55ae5a
- https://github.com/openclaw/openclaw/commit/ebc68861a61067fc37f9298bded3eec9de0ba783
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.14
- OpenClawCVEs repository
Affected or Relevant Artifacts
- Developer: openclaw
- Deployer: openclaw
- Artifact Details:
| Type | Name |
|---|---|
| System | openclaw |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CWE
| ID | Description |
|---|---|
| CWE-200 | CWE-200: Exposure of Sensitive Information to an Unauthorized Actor |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2026-02-19
- Version: 0.3
- AVID Entry