Which versions of OpenClaw are affected by CVE-2026-43533?

OpenClaw QQBot extension versions before 2026.4.10 contain an arbitrary file read vulnerability that allows unauthenticated remote attackers to disclose sensitive local files through malicious media…. A patch is available.

OpenClaw CVE-2026-43533

Q: What is the CVSS score of CVE-2026-43533?

CVE-2026-43533 has a CVSS 4.0 base score of 8.9 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-27277 HIGH

Relative Path Traversal (CWE-23)

2026-05-05 VulnCheck

GHSA-66r7-m7xm-v49h

Information Disclosure

8.9

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

May 05, 2026 - 12:48 vuln.today

v2 (cvss_changed)

Re-analysis Queued

May 05, 2026 - 12:37 vuln.today

cvss_changed

CVSS changed

May 05, 2026 - 12:37 NVD

8.6 (HIGH) 8.9 (HIGH)

Source Code Evidence Fetched

May 05, 2026 - 12:19 vuln.today

Analysis Generated

May 05, 2026 - 12:19 vuln.today

DescriptionNVD

OpenClaw before 2026.4.10 contains an arbitrary file read vulnerability in QQBot media tags that allows attackers to reference host-local paths outside the intended media storage boundary. Attackers can craft malicious reply text containing media tags to disclose arbitrary local files through outbound media handling.

AnalysisAI

Arbitrary file read in OpenClaw QQBot extension allows remote unauthenticated attackers to disclose sensitive local files by crafting malicious media tags in reply text. The vulnerability exists in OpenClaw npm package versions before 2026.4.10, where QQBot outbound media handling fails to enforce storage boundaries, enabling path traversal to read files outside the intended media directory. …

RemediationAI

Within 24 hours: inventory all deployments of OpenClaw npm package and confirm QQBot extension status across development, staging, and production environments. Within 7 days: upgrade all instances to OpenClaw version 2026.4.10 or later (patch commit 604777e4414cc3b2ff8861f18f4fb04374c702c6), and verify patch deployment. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-43533 vulnerability details – vuln.today

Back

OpenClaw CVE-2026-43533

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

OpenClaw CVE-2026-43533

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code