Home

Description

OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directive resolution that allows reading arbitrary local files outside the config directory boundary. Attackers with config modification capabilities can exploit this by specifying absolute paths, traversal sequences, or symlinks to access sensitive files readable by the OpenClaw process user, including API keys and credentials.

PUBLISHED Reserved 2026-03-10 | Published 2026-03-11 | Updated 2026-03-11 | Assigner VulnCheck




MEDIUM: 6.7CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
MEDIUM: 4.4CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Problem types

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
unaffected

Any version before 2026.2.17
affected

2026.2.17
unaffected

Credits

Aether AI (@aether-ai-agent) reporter

References

github.com/...enclaw/security/advisories/GHSA-56pc-6hvp-4gv4 (GitHub Security Advisory (GHSA-56pc-6hvp-4gv4)) third-party-advisory

github.com/...ommit/d1c00dbb7c64a39e205464dae7f2a068420e91c1 (Patch Commit) issue-tracking

www.vulncheck.com/...ad-via-include-directive-path-traversal (VulnCheck Advisory: OpenClaw < 2026.2.17 - Arbitrary File Read via $include Directive Path Traversal) third-party-advisory

cve.org (CVE-2026-32061)

nvd.nist.gov (CVE-2026-32061)

Download JSON