Moderate severityNVD Advisory· Published Feb 19, 2026· Updated Feb 20, 2026
OpenClaw: Telegram bot token exposure via logs
CVE-2026-27003
Description
OpenClaw is a personal AI assistant. Telegram bot tokens can appear in error messages and stack traces (for example, when request URLs include https://api.telegram.org/bot/...). Prior to version 2026.2.15, OpenClaw logged these strings without redaction, which could leak the bot token into logs, crash reports, CI output, or support bundles. Disclosure of a Telegram bot token allows an attacker to impersonate the bot and take over Bot API access. Users should upgrade to version 2026.2.15 to obtain a fix and rotate the Telegram bot token if it may have been exposed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.2.15 | 2026.2.15 |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-chf7-jq6g-qrwvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27003ghsaADVISORY
- github.com/openclaw/openclaw/commit/cf69907015b659e5025efb735ee31bd05c4ee3d5ghsax_refsource_MISCWEB
- github.com/openclaw/openclaw/security/advisories/GHSA-chf7-jq6g-qrwvghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.