Description
OpenClaw is a personal AI assistant. Prior to version 2026.2.14, authenticated attackers can read arbitrary files from the Gateway host by supplying absolute paths or path traversal sequences to the browser tool's `upload` action. The server passed these paths to Playwright's `setInputFiles()` APIs without restricting them to a safe root. An attacker must reach the Gateway HTTP surface (or otherwise invoke the same browser control hook endpoints); present valid Gateway auth (bearer token / password), as required by the Gateway configuration (In common default setups, the Gateway binds to loopback and the onboarding wizard generates a gateway token even for loopback); and have the `browser` tool permitted by tool policy for the target session/context (and have browser support enabled). If an operator exposes the Gateway beyond loopback (LAN/tailnet/custom bind, reverse proxy, tunnels, etc.), the impact increases accordingly. Starting in version 2026.2.14, the upload paths are now confined to OpenClaw's temp uploads root (`DEFAULT_UPLOAD_DIR`) and traversal/escape paths are rejected.
Published: 2026-02-19
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Read via Path Traversal
Action: Patch Now
AI Analysis

Impact

A flaw in the browser upload workflow of OpenClaw allows an authenticated user to retrieve arbitrary files from the host system. By providing absolute paths or crafted path traversal sequences to the browser tool’s upload action, the server forwards these paths to Playwright’s file input APIs without constraining them to a safe directory. The flaw can lead to reading any file accessible to the process, resulting in confidentiality compromise. The weakness is a classic path traversal, identified as CWE‑22.

Affected Systems

The vulnerability affects OpenClaw personal AI assistant versions prior to 2026.2.14. Only deployments that expose the Gateway HTTP interface, supply valid authentication (bearer token or password), and enable the browser tool within a session are susceptible. Default setups typically bind the gateway to loopback, but administrators who expose the gateway to LAN, tailnet, a reverse proxy, or tunnels expand the attacker’s reach.

Risk and Exploitability

The CVSS score is 7.1, indicating a high severity. The EPSS score is less than 1 %, suggesting a low probability of exploitation at present, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires authenticated access to the gateway and the presence of the browser tool in the tool policy. If the gateway is exposed beyond loopback, exploitation becomes feasible over the network, potentially allowing remote attackers to read sensitive files.

Generated by OpenCVE AI on April 17, 2026 at 17:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.2.14 or later, which confines upload paths to the temporary uploads directory and rejects traversal attempts.
  • If the gateway must be accessible beyond loopback, restrict its exposure to trusted networks, use TLS, and limit authentication scopes to only those tenants that require it.
  • Verify that the browser tool policy for sessions does not permit arbitrary file paths and enforce upload root restrictions to the application‑defined directory.

Generated by OpenCVE AI on April 17, 2026 at 17:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cv7m-c9jx-vg7q OpenClaw has a path traversal in browser upload allows local file read
History

Fri, 20 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Openclaw
Openclaw openclaw
Vendors & Products Openclaw
Openclaw openclaw

Thu, 19 Feb 2026 23:30:00 +0000

Type Values Removed Values Added
Description OpenClaw is a personal AI assistant. Prior to version 2026.2.14, authenticated attackers can read arbitrary files from the Gateway host by supplying absolute paths or path traversal sequences to the browser tool's `upload` action. The server passed these paths to Playwright's `setInputFiles()` APIs without restricting them to a safe root. An attacker must reach the Gateway HTTP surface (or otherwise invoke the same browser control hook endpoints); present valid Gateway auth (bearer token / password), as required by the Gateway configuration (In common default setups, the Gateway binds to loopback and the onboarding wizard generates a gateway token even for loopback); and have the `browser` tool permitted by tool policy for the target session/context (and have browser support enabled). If an operator exposes the Gateway beyond loopback (LAN/tailnet/custom bind, reverse proxy, tunnels, etc.), the impact increases accordingly. Starting in version 2026.2.14, the upload paths are now confined to OpenClaw's temp uploads root (`DEFAULT_UPLOAD_DIR`) and traversal/escape paths are rejected.
Title OpenClaw has a path traversal in browser upload allows local file read
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-20T15:38:37.988Z

Reserved: 2026-02-13T16:27:51.809Z

Link: CVE-2026-26329

cve-icon Vulnrichment

Updated: 2026-02-20T15:27:04.336Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T00:16:15.687

Modified: 2026-02-20T19:05:23.493

Link: CVE-2026-26329

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:00:12Z

Weaknesses