Cyber Resilience

CVE-2026-32982

HighPublic PoC

Published: 31 March 2026

Published
31 March 2026
Modified
02 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0042 33.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32982 is a high-severity Insertion of Sensitive Information into Log File (CWE-532) vulnerability in Openclaw Openclaw. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and AU-3 (Content of Audit Records).

Deeper analysis

CVE-2026-32982 is an information disclosure vulnerability in OpenClaw versions before 2026.3.13. The flaw occurs in the fetchRemoteMedia function, where failed media downloads cause the original Telegram file URLs—containing bot tokens—to be embedded in MediaFetchError strings. These tokens are subsequently leaked to logs and error surfaces. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-532 (Insertion of Sensitive Information into Log File).

The vulnerability can be exploited by any remote attacker with network access, requiring no privileges, user interaction, or special complexity. By triggering a media download failure, an attacker can obtain Telegram bot tokens from exposed logs or error messages. Successful exploitation grants the tokens, allowing potential takeover of the associated Telegram bots for malicious actions based on their configured permissions.

Mitigation involves upgrading to OpenClaw 2026.3.13 or later, as detailed in the patching commit (7a53eb7ea8295b08be137e231c9a98c1a79b5cd5) and the GitHub security advisory (GHSA-xwcj-hwhf-h378). Further analysis is provided in the VulnCheck advisory on the Telegram bot token exposure in media fetch error logs.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenClaw before 2026.3.13 contains an information disclosure vulnerability in the fetchRemoteMedia function that exposes Telegram bot tokens in error messages. When media downloads fail, the original Telegram file URLs containing bot tokens are embedded in MediaFetchError strings and leaked to…

more

logs and error surfaces.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
Why these techniques?

Remote network exploitation of the public-facing fetchRemoteMedia flaw directly enables T1190; resulting disclosure of Telegram bot tokens from logs/error surfaces directly enables T1528.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28464Same product: Openclaw Openclaw
CVE-2026-32924Same product: Openclaw Openclaw
CVE-2026-41394Same product: Openclaw Openclaw
CVE-2026-43573Same product: Openclaw Openclaw
CVE-2026-31989Same product: Openclaw Openclaw
CVE-2026-28472Same product: Openclaw Openclaw
CVE-2026-41395Same product: Openclaw Openclaw
CVE-2026-32004Same product: Openclaw Openclaw
CVE-2026-43580Same product: Openclaw Openclaw
CVE-2026-35637Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.3.13

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-11 mandates error handling that suppresses sensitive information in error messages, directly preventing exposure of Telegram bot tokens in MediaFetchError strings.

prevent

AU-3 requires defining audit record content to exclude unnecessary sensitive data, mitigating insertion of bot token URLs into log files.

detect

AU-13 provides monitoring for unauthorized information disclosures, enabling detection of leaked Telegram bot tokens in logs and error surfaces.

References