Home

Description

OpenClaw before 2026.3.28 contains a path traversal vulnerability in media parsing that allows attackers to read arbitrary files by bypassing path validation in the isLikelyLocalPath() and isValidMedia() functions. Attackers can exploit incomplete validation and the allowBareFilename bypass to reference files outside the intended application sandbox, resulting in disclosure of sensitive information including system files, environment files, and SSH keys.

PUBLISHED Reserved 2026-03-16 | Published 2026-03-26 | Updated 2026-05-25 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
unaffected

Any version before 2026.3.28
affected

2026.3.28 (semver)
unaffected

Credits

Zhijie Zhang finder

VulnCheck coordinator

References

github.com/openclaw/openclaw/pull/54642 exploit

github.com/...enclaw/security/advisories/GHSA-f6pf-4gjx-c94r vendor-advisory

github.com/openclaw/openclaw/pull/54642 issue-tracking

github.com/...ommit/4797bbc5b96e2cca5532e43b58915c051746fe37 patch

www.vulncheck.com/...g-path-traversal-to-arbitrary-file-read third-party-advisory

cve.org (CVE-2026-32846)

nvd.nist.gov (CVE-2026-32846)

Download JSON