{"data":{"id":"d8e93847-1f89-47fa-b052-fdee16d2a1ec","title":"GHSA-chf7-jq6g-qrwv: OpenClaw: Telegram bot token exposure via logs","summary":"OpenClaw, an npm package, had a vulnerability where Telegram bot tokens (the credentials used to access Telegram's bot API) could leak into logs and error messages because the package didn't hide them when logging. An attacker who obtained a leaked token could impersonate the bot and take control of its API access.","solution":"Upgrade to openclaw >= 2026.2.15 when released. Additionally, rotate the Telegram bot token if it may have been exposed.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-chf7-jq6g-qrwv","publishedAt":"2026-02-18T22:43:21.000Z","cveId":"CVE-2026-27003","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["pii_leakage"],"issueType":"vulnerability","affectedPackages":["openclaw@< 2026.2.15 (fixed: 2026.2.15)"],"affectedVendors":[],"affectedVendorsRaw":["OpenClaw","Telegram"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00014,"patchAvailable":null,"disclosureDate":null,"capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.75,"researchCategory":null,"atlasIds":null}}