Skip to main content

OpenClaw CVE-2026-43533

| EUVDEUVD-2026-27277 HIGH
Relative Path Traversal (CWE-23)
2026-05-05 VulnCheck GHSA-66r7-m7xm-v49h
8.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.9 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
May 05, 2026 - 12:48 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 05, 2026 - 12:37 vuln.today
cvss_changed
CVSS changed
May 05, 2026 - 12:37 NVD
8.6 (HIGH) 8.9 (HIGH)
Source Code Evidence Fetched
May 05, 2026 - 12:19 vuln.today
Analysis Generated
May 05, 2026 - 12:19 vuln.today

DescriptionCVE.org

OpenClaw before 2026.4.10 contains an arbitrary file read vulnerability in QQBot media tags that allows attackers to reference host-local paths outside the intended media storage boundary. Attackers can craft malicious reply text containing media tags to disclose arbitrary local files through outbound media handling.

AnalysisAI

Arbitrary file read in OpenClaw QQBot extension allows remote unauthenticated attackers to disclose sensitive local files by crafting malicious media tags in reply text. The vulnerability exists in OpenClaw npm package versions before 2026.4.10, where QQBot outbound media handling fails to enforce storage boundaries, enabling path traversal to read files outside the intended media directory. Publicly available patch confirmed (GitHub commit 604777e4414cc3b2ff8861f18f4fb04374c702c6). EPSS data unavailable; no CISA KEV listing indicates targeted disclosure rather than widespread exploitation. CVSS 8.9 with network vector and no authentication required, but exploitation requires the QQBot extension to be enabled and processing attacker-controlled reply text.

Technical ContextAI

The vulnerability stems from improper path validation (CWE-23: Relative Path Traversal) in OpenClaw's QQBot extension for npm/Node.js. OpenClaw appears to be an AI-powered chatbot framework integrating with QQ (Tencent's messaging platform). The QQBot module processes media tags in AI-generated reply text to send images, videos, voice, and files. The sendDocument function in extensions/qqbot/index.ts lacked boundary enforcement for local file paths embedded in media tags. An attacker crafting reply text with media tags pointing to arbitrary filesystem paths (e.g., ../../etc/passwd) could trigger outbound media handling to read and transmit those files through QQ's API. The fix adds an allowQQBotDataDownloads flag and enforces that all outbound local file references resolve within the designated media storage directory (getQQBotMediaDir()), preventing path traversal. The patch also introduces comprehensive security tests (outbound.security.test.ts with 401 lines) validating boundary enforcement across all media types (file, image, video, voice) and target contexts (C2C, group, channel, DM).

RemediationAI

Upgrade to OpenClaw version 2026.4.10 or newer immediately; the latest npm release 2026.4.14 includes the fix. Install via npm with 'npm install openclaw@latest' or pin to 'openclaw@2026.4.10' minimum. Vendor-released patch confirmed in GitHub commit 604777e4414cc3b2ff8861f18f4fb04374c702c6 and pull request #63271 at https://github.com/openclaw/openclaw/pull/63271. The fix enforces media storage boundary validation for all outbound QQBot local file paths by introducing an allowQQBotDataDownloads flag and path resolution checks within the designated media directory. If immediate patching is not feasible, disable the QQBot extension entirely in OpenClaw configuration to eliminate the attack surface - this prevents all QQ platform integration but removes file disclosure risk. Alternatively, implement strict input validation on AI reply text to block media tag patterns referencing filesystem paths (regex filter for '../' sequences, absolute paths, or non-media-directory references), though this workaround may be bypassed by encoding variations and is not a substitute for patching. Monitor outbound QQBot media requests for suspicious file paths outside expected media directories as a detective control. Review application logs for anomalous file access patterns to /etc/, /home/, /root/, or other sensitive directories accessed via the OpenClaw process user. Full advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-66r7-m7xm-v49h.

CVE-2026-28446 CRITICAL POC
9.4 Mar 05

Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.

CVE-2026-33579 CRITICAL POC
9.4 Mar 31

Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b

CVE-2026-32042 HIGH POC
8.8 Mar 21

OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att

CVE-2026-32051 HIGH POC
8.8 Mar 21

An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.

CVE-2026-25253 HIGH POC
8.8 Feb 01

OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e

CVE-2026-32846 HIGH POC
8.7 Mar 26

Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in

CVE-2026-32064 HIGH POC
7.7 Mar 21

OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all

CVE-2026-32055 HIGH POC
7.6 Mar 21

OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director

CVE-2026-32056 HIGH POC
7.5 Mar 21

OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func

CVE-2026-32049 HIGH POC
7.5 Mar 21

OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste

CVE-2026-32048 HIGH POC
7.5 Mar 21

OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low

CVE-2026-25474 HIGH POC
7.5 Feb 19

OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec

Share

CVE-2026-43533 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy