Summary
OpenClaw stored API keys for LLM providers in plaintext in ~/.openclaw/credentials.json with mode 644. Any process running under the same user could read the file. The pre-2026.2.10 default tools included an unrestricted file-read tool, making prompt-injection-driven credential exfiltration trivial.
Details
| CVE ID | CVE-2026-25103 |
| Severity | critical (9.1) |
| CVSS vector | AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N |
| Published | 2026-02-04 |
| Patched | 2026-02-08 |
| Affected versions | ≤ 2026.2.9 |
| Fixed in | 2026.2.10 (with manual key rotation required) |
| Exploited in the wild | yes |
Affected projects
What to do
- If you run an affected version: upgrade to
2026.2.10 (with manual key rotation required)immediately. Do not delay this for convenience reasons. - Rotate any credentials that may have been exposed via the affected component.
- Audit your logs for indicators of exploitation — unexpected outbound traffic, anomalous tool calls, unfamiliar authenticated sessions.
- If exploitation is confirmed, treat the host as compromised: rebuild from a clean image, rotate every secret on the host, audit lateral movement.
Sources
- NIST NVD: CVE-2026-25103 on NVD
See also: all CVEs, tracked agents, methodology.