CVE-2026-26326

Description

### Summary `skills.status` could disclose secrets to `operator.read` clients by returning raw resolved config values in `configChecks` for skill `requires.config` paths. ### Affected Packages / Versions - Package: `openclaw` (npm) - Affected: `<= 2026.2.13` - Patched: `2026.2.14` ### Details The gateway method `skills.status` returned a requirements report that included `configChecks[].value` (the resolved value for each `requires.config` entry). If a skill required a broad config subtree (for example `channels.discord`), the report could include secrets such as Discord bot tokens. `skills.status` is callable with `operator.read`, so read-scoped clients could obtain secrets without `operator.admin` / `config.*` access. ### Fix - Stop including raw resolved config values in requirement checks (return only `{ path, satisfied }`). - Narrow the Discord skill requirement to the token key. Fix commit(s): - d3428053d95eefbe10ecf04f92218ffcba55ae5a - ebc68861a61067fc37f9298bded3eec9de0ba783 ### Mitigation Rotate any Discord tokens that may have been exposed to read-scoped clients. Thanks @simecek for reporting. --- Fix commits d3428053d95eefbe10ecf04f92218ffcba55ae5a and ebc68861a61067fc37f9298bded3eec9de0ba783 confirmed on main and in v2026.2.14. Upgrade to `openclaw >= 2026.2.14`.

How to fix CVE-2026-26326

To remediate CVE-2026-26326, upgrade the affected package to a fixed version below.

• —upgrade to 2026.2.14 or later

Is CVE-2026-26326 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 2026.2.14

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-26326
• PATCHgithub.com/openclaw/openclaw
• WEBgithub.com/openclaw/openclaw/commit/d3428053d95eefbe10ecf04f92218ffcba55ae5a
• WEBgithub.com/openclaw/openclaw/commit/ebc68861a61067fc37f9298bded3eec9de0ba783