Summary
Verbose error logging in OpenClaw 2026.4.0–2026.4.5 includes API keys when an HTTP 401 is returned by the LLM provider. Logs are written to stdout and may be exfiltrated by any process with read access to the OpenClaw container.
Details
| CVE ID | CVE-2026-25898 |
| Severity | high (7.4) |
| CVSS vector | AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
| Published | 2026-04-22 |
| Patched | not yet |
| Affected versions | 2026.4.0 – 2026.4.5 |
| Fixed in | 2026.4.6 |
| Exploited in the wild | no known exploitation |
Affected projects
What to do
- If you run an affected version: upgrade to
2026.4.6immediately. Do not delay this for convenience reasons. - Rotate any credentials that may have been exposed via the affected component.
- Audit your logs for indicators of exploitation — unexpected outbound traffic, anomalous tool calls, unfamiliar authenticated sessions.
- If exploitation is confirmed, treat the host as compromised: rebuild from a clean image, rotate every secret on the host, audit lateral movement.
Sources
- NIST NVD: CVE-2026-25898 on NVD
See also: all CVEs, tracked agents, methodology.