CVE-2026-33572

`openclaw` created new session transcript JSONL files with overly broad default permissions in affected releases. On multi-user hosts, other local users or processes could read transcript contents, including secrets that might appear in tool output. ## Affected Packages / Versions - Package: `openclaw` (`npm`) - Affected versions: `<= 2026.2.15` - First fixed version: `2026.2.17` - Current latest npm release checked during verification: `2026.3.13` (not affected) ## Impact Session transcript JSONL files are created under the local OpenClaw session store. In affected releases, newly created transcript files did not force user-only permissions, so transcript contents could be readable by other local users depending on the host environment and umask behavior. ## Fix New transcript files are now created with `0o600` permissions. Existing transcript permission drift is also remediated by the security audit fix flow. Verified in code: - `src/config/sessions/transcript.ts:82` writes new transcript files with `mode: 0o600` - `src/config/sessions/sessions.test.ts:303` includes regression coverage asserting `0o600` ## Fix Commit(s) - `095d522099653367e1b76fa5bb09d4ddf7c8a57c` ## Release Note This fix first shipped in `2026.2.17` and is present in the current npm release `2026.3.13`.

`openclaw` created new session transcript JSONL files with overly broad default permissions in affected releases. On multi-user hosts, other local users or processes could read transcript contents, including secrets that might appear in tool output. ## Affected Packages / Versions - Package: `openclaw` (`npm`) - Affected versions: `<= 2026.2.15` - First fixed version: `2026.2.17` - Current latest npm release checked during verification: `2026.3.13` (not affected) ## Impact Session transcript JSONL files are created under the local OpenClaw session store. In affected releases, newly created transcript files did not force user-only permissions, so transcript contents could be readable by other local users depending on the host environment and umask behavior. ## Fix New transcript files are now created with `0o600` permissions. Existing transcript permission drift is also remediated by the security audit fix flow. Verified in code: - `src/config/sessions/transcript.ts:82` writes new transcript files with `mode: 0o600` - `src/config/sessions/sessions.test.ts:303` includes regression coverage asserting `0o600` ## Fix Commit(s) - `095d522099653367e1b76fa5bb09d4ddf7c8a57c` ## Release Note This fix first shipped in `2026.2.17` and is present in the current npm release `2026.3.13`.

OpenClaw anterior a 2026.2.17 crea archivos JSONL de transcripciones de sesión con permisos predeterminados excesivamente amplios, lo que permite a los usuarios locales leer el contenido de las transcripciones. Atacantes con acceso local pueden leer los archivos de transcripción para extraer información sensible, incluidos secretos de la salida de la herramienta.