DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-FQCM-97M6-W7RM: GHSA-FQCM-97M6-W7RM: Arbitrary File Read via Path Traversal in OpenClaw Message Actions

#security #cve #cybersecurity #ghsa

GHSA-FQCM-97M6-W7RM: Arbitrary File Read via Path Traversal in OpenClaw Message Actions

Vulnerability ID: GHSA-FQCM-97M6-W7RM
CVSS Score: 9.8
Published: 2026-03-02

OpenClaw prior to version 2026.3.1 contains a critical path traversal vulnerability in the message attachment hydration process. The system fails to validate file paths when a sandbox root is not explicitly configured, allowing AI agents or attackers with API access to read arbitrary files from the host filesystem. This 'fail-open' behavior permits the exfiltration of sensitive system files via supported messaging channels.

TL;DR

A logic error in OpenClaw's hydrateAttachmentPayload function allows arbitrary file reads when a sandbox root is undefined. Attackers can exploit this via prompt injection or direct API calls to read host files (e.g., /etc/passwd) and exfiltrate them through messaging integrations like Telegram or Slack. Fixed in version 2026.3.1.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22
  • Attack Vector: Network / Prompt Injection
  • CVSS Score: 9.8
  • Severity: Critical
  • Impact: Arbitrary File Read
  • Exploit Status: PoC Available

Affected Systems

  • OpenClaw (npm package)
  • openclaw: < 2026.3.1 (Fixed in: 2026.3.1)

Code Analysis

Commit: 270ab03

Fix path traversal in message action params by enforcing local roots

const media = sandboxRoot
  ? await loadWebMedia(mediaSource, { ... })
- : await loadWebMedia(mediaSource, { maxBytes });
+ : await loadWebMedia(mediaSource, { maxBytes, localRoots: params.mediaLocalRoots });
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Update the openclaw dependency to version 2026.3.1 or later immediately.
  • If immediate patching is not possible, ensure the OpenClaw agent runs in a containerized environment (Docker/Kubernetes) with strictly limited filesystem mounts to mitigate the impact of arbitrary file reads.
  • Configure network policies to restrict the agent's ability to communicate with external messaging APIs if not strictly required.

Remediation Steps:

  1. Identify all projects using openclaw via npm ls openclaw.
  2. Update the package using npm install openclaw@latest or yarn upgrade openclaw.
  3. Verify the installed version is at least 2026.3.1.
  4. Restart the OpenClaw service to apply changes.

References

Read the full report for GHSA-FQCM-97M6-W7RM on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)