QwikSec

Security Database

CVE

CWE

Training

CVE-2026-32846

Published: Mar 26, 2026

Modified: May 25, 2026

PUBLISHED

Description

OpenClaw before 2026.3.28 contains a path traversal vulnerability in media parsing that allows attackers to read arbitrary files by bypassing path validation in the isLikelyLocalPath() and isValidMedia() functions. Attackers can exploit incomplete validation and the allowBareFilename bypass to reference files outside the intended application sandbox, resulting in disclosure of sensitive information including system files, environment files, and SSH keys.

Vendor	Product	Versions
OpenClaw	OpenClaw	affected `0 - < 2026.3.28` unaffected `2026.3.28`

Weaknesses (CWE)

References

https://github.com/openclaw/openclaw/security/advisories/GHSA-f6pf-4gjx-c94r

vendor-advisory

https://github.com/openclaw/openclaw/pull/54642

issue-tracking

https://github.com/openclaw/openclaw/commit/4797bbc5b96e2cca5532e43b58915c051746fe37

patch

https://www.vulncheck.com/advisories/openclaw-media-parsing-path-traversal-to-arbitrary-file-read

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.