CVE-2026-32982
Published: 31 March 2026
Summary
CVE-2026-32982 is a high-severity Insertion of Sensitive Information into Log File (CWE-532) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and AU-3 (Content of Audit Records).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-11 mandates error handling that suppresses sensitive information in error messages, directly preventing exposure of Telegram bot tokens in MediaFetchError strings.
AU-3 requires defining audit record content to exclude unnecessary sensitive data, mitigating insertion of bot token URLs into log files.
AU-13 provides monitoring for unauthorized information disclosures, enabling detection of leaked Telegram bot tokens in logs and error surfaces.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote network exploitation of the public-facing fetchRemoteMedia flaw directly enables T1190; resulting disclosure of Telegram bot tokens from logs/error surfaces directly enables T1528.
NVD Description
OpenClaw before 2026.3.13 contains an information disclosure vulnerability in the fetchRemoteMedia function that exposes Telegram bot tokens in error messages. When media downloads fail, the original Telegram file URLs containing bot tokens are embedded in MediaFetchError strings and leaked to…
more
logs and error surfaces.
Deeper analysisAI
CVE-2026-32982 is an information disclosure vulnerability in OpenClaw versions before 2026.3.13. The flaw occurs in the fetchRemoteMedia function, where failed media downloads cause the original Telegram file URLs—containing bot tokens—to be embedded in MediaFetchError strings. These tokens are subsequently leaked to logs and error surfaces. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-532 (Insertion of Sensitive Information into Log File).
The vulnerability can be exploited by any remote attacker with network access, requiring no privileges, user interaction, or special complexity. By triggering a media download failure, an attacker can obtain Telegram bot tokens from exposed logs or error messages. Successful exploitation grants the tokens, allowing potential takeover of the associated Telegram bots for malicious actions based on their configured permissions.
Mitigation involves upgrading to OpenClaw 2026.3.13 or later, as detailed in the patching commit (7a53eb7ea8295b08be137e231c9a98c1a79b5cd5) and the GitHub security advisory (GHSA-xwcj-hwhf-h378). Further analysis is provided in the VulnCheck advisory on the Telegram bot token exposure in media fetch error logs.
Details
- CWE(s)