Home > Vulnerability Database > CVE-2026-27003

Mend.io Vulnerability Database

CVE-2026-27003

Good to know:

Date: February 19, 2026

Vulnerability Telegram bot tokens can appear in error messages and stack traces (for example, when request URLs include "https://api.telegram.org/bot<token>/...";). OpenClaw previously logged these strings without redaction, which could leak the bot token into logs, crash reports, CI output, or support bundles. Impact Disclosure of a Telegram bot token allows an attacker to impersonate the bot and take over Bot API access. Affected Packages / Versions - Package: "openclaw" (npm) - Affected: "<= 2026.2.14" - Fixed: ">= 2026.2.15" (next release) Mitigation - Upgrade to "openclaw >= 2026.2.15" when released. - Rotate the Telegram bot token if it may have been exposed. Fix Commit(s) - cf6990701b258bb9cc4ac7f6c7bdf05016e7f6e46 Thanks @aether-ai-agent for reporting.

Severity Score

6.2

Related Resources (5)

Url: https://github.com/openclaw/openclaw/security/advisories/GHSA-chf7-jq6g-qrwv

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-27003

Url: https://github.com/openclaw/openclaw/commit/cf69907015b659e5025efb735ee31bd05c4ee3d5

Url: https://github.com/openclaw/openclaw

Url: https://www.mend.io/vulnerability-database/CVE-2026-27003

Severity Score

6.2

Weakness Type (CWE)

Insufficiently Protected Credentials

CWE-522

Top Fix

Upgrade Version

Upgrade to version openclaw - 2026.2.15;https://github.com/openclaw/openclaw.git - v2026.2.15

Learn More

CVSS v3.1

Base Score:	6.2
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-27003

Good to know:

Date: February 19, 2026

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?