Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Blast Radius
ecosystem impact- 6 npm packages depend on openclaw (6 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.4.15.
DescriptionCVE.org
OpenClaw before 2026.4.15 contains an arbitrary file read vulnerability in the QMD backend memory_get function that allows callers to read any Markdown files within the workspace root. Attackers with access to the memory tool can bypass path restrictions by providing arbitrary workspace Markdown paths to read files outside canonical memory locations or indexed QMD result sets.
AnalysisAI
OpenClaw before version 2026.4.15 allows authenticated users with access to the memory tool to read arbitrary Markdown files within the workspace root by bypassing path restrictions in the QMD backend's memory_get function. The vulnerability enables attackers to access workspace Markdown files outside canonical memory locations or indexed QMD result sets, effectively circumventing the intended memory-path policy. No public exploit code or active exploitation has been identified.
Technical ContextAI
OpenClaw's QMD (Quarto Markdown) backend implements a memory_get function that retrieves Markdown content from workspace directories. The vulnerability exists in the path-resolution logic of the QmdMemoryManager class, which originally accepted any Markdown file path within the workspace root without validating against a whitelist of canonical memory paths. The root cause falls under CWE-183 (Unspecified Weakness Related to File Handling) and represents an insufficient input validation and access control bypass in a file-reading routine. The fix introduces path normalization and restricts reads to only canonical memory files (MEMORY.md, memory.md, DREAMS.md, dreams.md, and the memory/ directory) or previously indexed QMD workspace document paths, as confirmed by the committed changes to qmd-manager.ts.
RemediationAI
Upgrade OpenClaw to version 2026.4.15 or later, which restricts QMD memory_get reads to canonical memory paths (MEMORY.md, memory.md, DREAMS.md, dreams.md, memory/) and previously indexed QMD workspace paths. The fix is available in commit 37d5971db36491d5050efd42c333cbe0b98ed292 and merged via PR #66026. For organizations unable to upgrade immediately, restrict access to the memory tool to only trusted users with a legitimate need for memory functionality, and audit any memory tool access logs for suspicious file-read patterns targeting non-canonical Markdown files. Note that this workaround does not eliminate the vulnerability but reduces the likelihood of exploitation by limiting who can invoke the vulnerable code path. The patch should be applied as soon as feasible to restore the intended memory-path security boundary.
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and
An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar
Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra
An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT
Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi
An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte
Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se
A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char
The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w
Same weakness CWE-183 – Permissive List of Allowed Inputs
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28188