OpenClaw Information Disclosure Vulnerability Exposing Telegram Bot Tokens

A vulnerability allowing information disclosure has been identified in OpenClaw versions prior to 2026.3.13. This issue arises in the fetchRemoteMedia function, where error messages related to failed media downloads inadvertently include Telegram bot tokens. The original Telegram file URLs, which contain the bot tokens, are embedded in the error strings and leaked to logs and other error surfaces.

Impact

This vulnerability leads to the unintentional exposure of Telegram bot tokens in error messages, which can be logged or displayed in other error contexts, creating a risk of unauthorized access to bot functionalities.

Reproduction

The vulnerability can be reproduced by attempting to download media from Telegram using a bot token. If the download fails, the error message will include the original file URL, exposing the bot token. This can be automated with a script that sends a request to the Telegram API for a file using a bot token, and then logs the error response without redacting the token.

Remediation

Users can update to OpenClaw version 2026.3.13 or later, where this vulnerability has been fixed by redacting Telegram bot tokens from error messages before they are logged.