Moderate severityNVD Advisory· Published Feb 19, 2026· Updated Feb 20, 2026
OpenClaw skills.status could leak secrets to operator.read clients
CVE-2026-26326
Description
OpenClaw is a personal AI assistant. Prior to version 2026.2.14, skills.status could disclose secrets to operator.read clients by returning raw resolved config values in configChecks for skill requires.config paths. Version 2026.2.14 stops including raw resolved config values in requirement checks (return only { path, satisfied }) and narrows the Discord skill requirement to the token key. In addition to upgrading, users should rotate any Discord tokens that may have been exposed to read-scoped clients.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.2.14 | 2026.2.14 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-8mh7-phf8-xgfmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-26326ghsaADVISORY
- github.com/openclaw/openclaw/commit/d3428053d95eefbe10ecf04f92218ffcba55ae5aghsax_refsource_MISCWEB
- github.com/openclaw/openclaw/commit/ebc68861a61067fc37f9298bded3eec9de0ba783ghsax_refsource_MISCWEB
- github.com/openclaw/openclaw/releases/tag/v2026.2.14ghsax_refsource_MISCWEB
- github.com/openclaw/openclaw/security/advisories/GHSA-8mh7-phf8-xgfmghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.