GHSA-9q8j-chc7-wpgp: Duplicate Advisory: OpenClaw session transcript files were created without forced user-only permissions

March 29, 2026 (updated April 6, 2026)

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-vr7j-g7jv-h5mp. This link is maintained to preserve external references.

Original Description

OpenClaw before 2026.2.17 creates session transcript JSONL files with overly broad default permissions, allowing local users to read transcript contents. Attackers with local access can read transcript files to extract sensitive information including secrets from tool output.

References

github.com/advisories/GHSA-9q8j-chc7-wpgp
github.com/openclaw/openclaw/commit/095d522099653367e1b76fa5bb09d4ddf7c8a57c
github.com/openclaw/openclaw/security/advisories/GHSA-vr7j-g7jv-h5mp
nvd.nist.gov/vuln/detail/CVE-2026-33572
www.vulncheck.com/advisories/openclaw-insufficient-file-permissions-in-session-transcript-files

Code Behaviors & Features

Detect and mitigate GHSA-9q8j-chc7-wpgp with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →