Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local workspace access with a low-privileged account is required (AV:L, PR:L); manipulation is straightforward once access exists (AC:L), no extra user interaction is needed, and artifact loading yields full code execution impact (C:H/I:H/A:H).
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
OpenClaw before 2026.4.25 contains a path traversal vulnerability in memory-core artifact loading where workspace state influences local package root resolution. Attackers with access to affected workspaces can load memory-core artifacts from unintended local locations, potentially executing malicious code or accessing sensitive data.
AnalysisAI
Path traversal in OpenClaw before version 2026.4.25 allows attackers with workspace access to manipulate local package root resolution and load memory-core artifacts from attacker-controlled locations, leading to arbitrary code execution or sensitive data disclosure. The flaw stems from workspace state influencing artifact resolution paths (CWE-427, Uncontrolled Search Path Element). No public exploit identified at time of analysis, though VulnCheck has published a dedicated advisory describing the fake package root resolution technique.
Technical ContextAI
OpenClaw is the affected product (CPE: cpe:2.3:a:openclaw:openclaw). The root cause is CWE-427 (Uncontrolled Search Path Element): the memory-core artifact loader resolves its local package root using workspace state that an attacker can influence, rather than from a trusted, fixed location. Because artifact loading typically results in code execution within the host process, controlling the resolved path lets an attacker substitute a malicious package and have it loaded as if it were legitimate. The 'fake package root resolution' framing from VulnCheck indicates the issue is in the path/root selection logic, not in a generic '../' traversal of file reads.
RemediationAI
Vendor-released patch: upgrade OpenClaw to 2026.4.25 or later, as described in GHSA-v8cx-933x-r976 (https://github.com/openclaw/openclaw/security/advisories/GHSA-v8cx-933x-r976). Until the upgrade is applied, restrict workspace access to trusted users only and avoid opening untrusted workspaces or projects in OpenClaw, since workspace state is the input that drives the malicious package root resolution; this trades collaboration convenience for safety. Where feasible, run OpenClaw under a least-privileged OS account so that arbitrary code triggered via a malicious artifact is contained, and monitor file-system writes into OpenClaw workspace and package directories for unexpected artifact files. Consult the VulnCheck advisory (https://www.vulncheck.com/advisories/openclaw-arbitrary-artifact-loading-via-fake-package-root-resolution) for indicators specific to the fake package root resolution behavior.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-427 – Uncontrolled Search Path Element
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36319
GHSA-v8cx-933x-r976