Skip to main content

OpenClaw CVE-2026-44111

| EUVDEUVD-2026-28188 LOW
Permissive List of Allowed Inputs (CWE-183)
2026-05-06 disclosure@vulncheck.com
2.3
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
May 06, 2026 - 21:03 EUVD
Source Code Evidence Fetched
May 06, 2026 - 20:37 vuln.today
Analysis Generated
May 06, 2026 - 20:37 vuln.today
CVE Published
May 06, 2026 - 20:16 nvd
LOW 2.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 6 npm packages depend on openclaw (6 direct, 0 indirect)

Ecosystem-wide dependent count for version 2026.4.15.

DescriptionCVE.org

OpenClaw before 2026.4.15 contains an arbitrary file read vulnerability in the QMD backend memory_get function that allows callers to read any Markdown files within the workspace root. Attackers with access to the memory tool can bypass path restrictions by providing arbitrary workspace Markdown paths to read files outside canonical memory locations or indexed QMD result sets.

AnalysisAI

OpenClaw before version 2026.4.15 allows authenticated users with access to the memory tool to read arbitrary Markdown files within the workspace root by bypassing path restrictions in the QMD backend's memory_get function. The vulnerability enables attackers to access workspace Markdown files outside canonical memory locations or indexed QMD result sets, effectively circumventing the intended memory-path policy. No public exploit code or active exploitation has been identified.

Technical ContextAI

OpenClaw's QMD (Quarto Markdown) backend implements a memory_get function that retrieves Markdown content from workspace directories. The vulnerability exists in the path-resolution logic of the QmdMemoryManager class, which originally accepted any Markdown file path within the workspace root without validating against a whitelist of canonical memory paths. The root cause falls under CWE-183 (Unspecified Weakness Related to File Handling) and represents an insufficient input validation and access control bypass in a file-reading routine. The fix introduces path normalization and restricts reads to only canonical memory files (MEMORY.md, memory.md, DREAMS.md, dreams.md, and the memory/ directory) or previously indexed QMD workspace document paths, as confirmed by the committed changes to qmd-manager.ts.

RemediationAI

Upgrade OpenClaw to version 2026.4.15 or later, which restricts QMD memory_get reads to canonical memory paths (MEMORY.md, memory.md, DREAMS.md, dreams.md, memory/) and previously indexed QMD workspace paths. The fix is available in commit 37d5971db36491d5050efd42c333cbe0b98ed292 and merged via PR #66026. For organizations unable to upgrade immediately, restrict access to the memory tool to only trusted users with a legitimate need for memory functionality, and audit any memory tool access logs for suspicious file-read patterns targeting non-canonical Markdown files. Note that this workaround does not eliminate the vulnerability but reduces the likelihood of exploitation by limiting who can invoke the vulnerable code path. The patch should be applied as soon as feasible to restore the intended memory-path security boundary.

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2026-33309 CRITICAL POC
9.9 Mar 19

An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar

CVE-2019-7304 CRITICAL POC
9.8 Apr 23

Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra

CVE-2026-33186 CRITICAL POC
9.1 Mar 18

An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT

CVE-2026-50180 HIGH POC
8.7 Jul 02

Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi

CVE-2020-14966 HIGH POC
7.5 Jun 22

An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner

CVE-2020-13822 HIGH POC
7.7 Jun 04

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte

CVE-2026-29181 HIGH POC
7.5 Apr 07

Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se

CVE-2019-7303 HIGH POC
7.5 Apr 23

A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char

CVE-2014-4699 MEDIUM POC
6.9 Jul 09

The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved

CVE-2017-7725 MEDIUM POC
6.1 Apr 13

concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca

CVE-2026-48816 MEDIUM POC
6.5 Jul 01

Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w

Share

CVE-2026-44111 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy