Skip to main content

Microsoft EUVDEUVD-2026-17915

| CVE-2026-34510 MEDIUM
Improper Resolution of Path Equivalence (CWE-41)
2026-04-01 VulnCheck
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Apr 01, 2026 - 16:00 euvd
EUVD-2026-17915
Analysis Generated
Apr 01, 2026 - 16:00 vuln.today
Patch released
Apr 01, 2026 - 16:00 nvd
Patch available
CVE Published
Apr 01, 2026 - 15:29 nvd
MEDIUM 6.9

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 5 npm packages depend on openclaw (5 direct, 0 indirect)

Ecosystem-wide dependent count for version 2026.4.2.

DescriptionCVE.org

OpenClaw before 2026.3.22 contains a path traversal vulnerability in Windows media loaders that accepts remote-host file URLs and UNC-style paths before local-path validation. Attackers can exploit this by providing network-hosted file targets that are treated as local content, bypassing intended access restrictions.

AnalysisAI

OpenClaw before version 2026.3.22 contains a path traversal vulnerability in Windows media loaders that accepts remote-host file URLs and UNC-style network paths without proper local-path validation, allowing unauthenticated remote attackers to bypass access restrictions and read local files. With a CVSS score of 6.9 and network-based attack vector requiring no user interaction, this vulnerability presents moderate risk to systems processing untrusted media content. No public exploit code or active exploitation has been confirmed at the time of analysis.

Technical ContextAI

The vulnerability exists in OpenClaw's Windows media loader components, which handle file path resolution and content loading. The root cause is improper input validation (CWE-41: Improper Resolution of Path Equivalence) where remote-hosted file URLs and UNC-style paths (network paths using the \\server\share notation) are accepted and processed before adequate local-path validation occurs. This allows attackers to supply network-hosted targets that the application treats as locally-accessible content, effectively bypassing intended access control boundaries. The vulnerability specifically affects how Windows file systems resolve path equivalence, where different path representations (remote URLs, UNC paths, local paths) may reference the same underlying resource.

RemediationAI

Upgrade OpenClaw to version 2026.3.22 or later to obtain the vendor-released patch. Three upstream commits (630f1479c44f78484dfa21bb407cbe6f171dac87, 4fd7feb0fd4ec16c48ed983980dba79a09b3aaf5, and 93880717f1cd34feaa45e74e939b7a5256288901) address the path traversal vulnerability by implementing proper validation of file paths before processing. Detailed remediation guidance and advisory information is available at https://github.com/openclaw/openclaw/security/advisories/GHSA-h3x4-hc5v-v2gm. Organizations should prioritize this patch in their update cycle for systems actively processing media content from potentially untrusted sources.

Share

EUVD-2026-17915 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy