CVE-2026-33572

Sažetak

OpenClaw before 2026.2.17 creates session transcript JSONL files with overly broad default permissions, allowing local users to read transcript contents. Attackers with local access can read transcript files to extract sensitive information including secrets from tool output.

Reference

https://github.com/openclaw/openclaw/commit/095d522099653367e1b76fa5bb09d4ddf7c8a57c
https://github.com/openclaw/openclaw/security/advisories/GHSA-vr7j-g7jv-h5mp
https://www.vulncheck.com/advisories/openclaw-insufficient-file-permissions-in-session-transcript-files

CVSS

Base:	8.4
Impact:	5.9
Exploitability:	2.5

Pristup

Vektor	Složenost	Autentikacija
LOCAL	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	HIGH	HIGH

CVSS vektor

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Zadnje važnije ažuriranje

31-03-2026 - 17:37

Objavljeno

29-03-2026 - 13:17