Description
OpenClaw versions prior to 2026.2.21 contain an improper URL scheme validation vulnerability in the assertBrowserNavigationAllowed() function that allows authenticated users with browser-tool access to navigate to file:// URLs. Attackers can exploit this by accessing local files readable by the OpenClaw process user through browser snapshot and extraction actions to exfiltrate sensitive data.
Published: 2026-03-19
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Read
Action: Apply Patch
AI Analysis

Impact

OpenClaw versions prior to 2026.2.21 contain an improper URL scheme validation in the assertBrowserNavigationAllowed() function. This allows authenticated users who have browser‑tool access to navigate to file:// URLs. By doing so, attackers can read local files that are accessible to the OpenClaw process user. The leaked files can be captured through browser snapshot and extraction actions, enabling exfiltration of sensitive data. The vulnerability is a CWE‑610 (Improper Restriction of Operations within the Bounds of a Memory Buffer) incident that primarily impacts confidentiality.

Affected Systems

The affected product is OpenClaw from vendor OpenClaw. Versions prior to 2026.2.21 are impacted. No additional version qualifiers are provided in the CNA data.

Risk and Exploitability

The CVSS score is 7.1, indicating a high severity level. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed public exploits yet. The attack vector requires authenticated access and the presence of browser‑tool capabilities, limiting the attack surface to legitimate users of the application. Nonetheless, the high severity score and the potential for sensitive data leakage make this vulnerability a high priority for remediation.

Generated by OpenCVE AI on March 19, 2026 at 23:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the OpenClaw update to version 2026.2.21 or later which removes the faulty URL scheme validation.

Generated by OpenCVE AI on March 19, 2026 at 23:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-45cg-2683-gfmq OpenClaw browser navigation guard allowed non-network URL schemes, enabling authenticated browser-tool users to access file:// local files
History

Fri, 20 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.2.21 contain an improper URL scheme validation vulnerability in the assertBrowserNavigationAllowed() function that allows authenticated users with browser-tool access to navigate to file:// URLs. Attackers can exploit this by accessing local files readable by the OpenClaw process user through browser snapshot and extraction actions to exfiltrate sensitive data.
Title OpenClaw < 2026.2.21 - Arbitrary Local File Read via Browser Navigation Guard
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-610
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-20T17:04:09.305Z

Reserved: 2026-03-10T19:48:38.209Z

Link: CVE-2026-32008

cve-icon Vulnrichment

Updated: 2026-03-20T17:03:58.949Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T22:16:33.577

Modified: 2026-03-23T17:34:08.087

Link: CVE-2026-32008

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T11:05:35Z

Weaknesses