OpenClaw versions before 2026.3.13 leaked Telegram bot tokens in error messages returned from the fetchRemoteMedia function, allowing anyone who could trigger a malformed media fetch to recover full bot credentials.
The fetchRemoteMedia function constructed its outbound URL by interpolating the user's Telegram bot token directly into the request path. When the function encountered a non-2xx response, it propagated the full request URL — token and all — into the error message returned to the caller. Because OpenClaw surfaces tool-call errors back to the conversation (and often to third-party webhooks), any attacker able to cause a media fetch to fail could recover the bot's credentials. Exploitation required only a malformed media URL and access to the error stream.
The Actual Culprit
The error-reporting path re-surfaced the fully-interpolated request URL to the caller. Secrets were never redacted from error messages.
The instant a secret is part of a URL, it lands in logs, error traces, referer headers, proxy records, and pastebin screenshots. Use headers or request bodies.
Any path that bubbles raw request metadata to users is a credential leak waiting to happen. Treat error serialization as a security boundary.
Loading comments...