Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
OpenClaw before 2026.4.10 contains an arbitrary file read vulnerability in QQBot media tags that allows attackers to reference host-local paths outside the intended media storage boundary. Attackers can craft malicious reply text containing media tags to disclose arbitrary local files through outbound media handling.
AnalysisAI
Arbitrary file read in OpenClaw QQBot extension allows remote unauthenticated attackers to disclose sensitive local files by crafting malicious media tags in reply text. The vulnerability exists in OpenClaw npm package versions before 2026.4.10, where QQBot outbound media handling fails to enforce storage boundaries, enabling path traversal to read files outside the intended media directory. Publicly available patch confirmed (GitHub commit 604777e4414cc3b2ff8861f18f4fb04374c702c6). EPSS data unavailable; no CISA KEV listing indicates targeted disclosure rather than widespread exploitation. CVSS 8.9 with network vector and no authentication required, but exploitation requires the QQBot extension to be enabled and processing attacker-controlled reply text.
Technical ContextAI
The vulnerability stems from improper path validation (CWE-23: Relative Path Traversal) in OpenClaw's QQBot extension for npm/Node.js. OpenClaw appears to be an AI-powered chatbot framework integrating with QQ (Tencent's messaging platform). The QQBot module processes media tags in AI-generated reply text to send images, videos, voice, and files. The sendDocument function in extensions/qqbot/index.ts lacked boundary enforcement for local file paths embedded in media tags. An attacker crafting reply text with media tags pointing to arbitrary filesystem paths (e.g., ../../etc/passwd) could trigger outbound media handling to read and transmit those files through QQ's API. The fix adds an allowQQBotDataDownloads flag and enforces that all outbound local file references resolve within the designated media storage directory (getQQBotMediaDir()), preventing path traversal. The patch also introduces comprehensive security tests (outbound.security.test.ts with 401 lines) validating boundary enforcement across all media types (file, image, video, voice) and target contexts (C2C, group, channel, DM).
RemediationAI
Upgrade to OpenClaw version 2026.4.10 or newer immediately; the latest npm release 2026.4.14 includes the fix. Install via npm with 'npm install openclaw@latest' or pin to 'openclaw@2026.4.10' minimum. Vendor-released patch confirmed in GitHub commit 604777e4414cc3b2ff8861f18f4fb04374c702c6 and pull request #63271 at https://github.com/openclaw/openclaw/pull/63271. The fix enforces media storage boundary validation for all outbound QQBot local file paths by introducing an allowQQBotDataDownloads flag and path resolution checks within the designated media directory. If immediate patching is not feasible, disable the QQBot extension entirely in OpenClaw configuration to eliminate the attack surface - this prevents all QQ platform integration but removes file disclosure risk. Alternatively, implement strict input validation on AI reply text to block media tag patterns referencing filesystem paths (regex filter for '../' sequences, absolute paths, or non-media-directory references), though this workaround may be bypassed by encoding variations and is not a substitute for patching. Monitor outbound QQBot media requests for suspicious file paths outside expected media directories as a detective control. Review application logs for anomalous file access patterns to /etc/, /home/, /root/, or other sensitive directories accessed via the OpenClaw process user. Full advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-66r7-m7xm-v49h.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-23 – Relative Path Traversal
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27277
GHSA-66r7-m7xm-v49h