OpenClaw Telegram Bot Token Exposure Vulnerability
Vulnerability
A vulnerability in OpenClaw, a personal AI assistant, allows for the unredacted logging of Telegram bot tokens in error messages and stack traces. This issue is present in versions of OpenClaw through 2026.2.14. The exposed tokens can be leaked into logs, crash reports, continuous integration output, or support bundles. Such exposure allows an attacker to impersonate the bot and gain access to the Bot API.
Impact
The vulnerability allows for the unauthorized use of a Telegram bot by exposing the bot token, which can be used to impersonate the bot and access its API functionalities.
Reproduction
The vulnerability can be reproduced by using OpenClaw versions prior to 2026.2.15 and triggering an error that includes a Telegram bot API URL. This will result in the bot token being logged without redaction, exposing it in the error message or stack trace.
Remediation
Users should upgrade to OpenClaw version 2026.2.15 or later and rotate their Telegram bot token if it may have been exposed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.