Description
OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directive resolution that allows reading arbitrary local files outside the config directory boundary. Attackers with config modification capabilities can exploit this by specifying absolute paths, traversal sequences, or symlinks to access sensitive files readable by the OpenClaw process user, including API keys and credentials.
Published: 2026-03-11
Score: 6.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch Now
AI Analysis

Impact

OpenClaw versions before 2026.2.17 have a path traversal vulnerability in the $include directive that allows an attacker with the ability to modify configuration files to read arbitrary local files outside the intended configuration directory. An attacker can supply absolute paths, traversal sequences, or symlinks in the $include directive to gain read access to files that the OpenClaw process user can read, including API keys, credentials, and other sensitive data. This results in confidentiality compromise for any files accessible to the OpenClaw process.

Affected Systems

Affected systems are installations of the OpenClaw application from the openclaw:openclaw vendor. Versions earlier than 2026.2.17 are impacted. The Common Platform Enumeration entries indicate usage of any platform, including Node.js environments. Therefore, any deployment running a pre‑2026.2.17 build is susceptible.

Risk and Exploitability

The CVSS score is 6.7, indicating moderate severity. The EPSS score is less than 1%, suggesting a low likelihood of exploitation. The vulnerability is not present in the CISA KEV catalog. The attack vector is local, requiring the attacker to have the ability to modify configuration files or otherwise inject the $include directive. Successful exploitation would result in the attacker gaining read access to any files readable by the OpenClaw process user, which could compromise credential integrity and confidentiality. Because the flaw is an uncontrolled path traversal, it cannot be mitigated through network isolation alone.

Generated by OpenCVE AI on March 17, 2026 at 16:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the OpenClaw version currently in use.
  • If the version is older than 2026.2.17, apply the vendor patch by upgrading to 2026.2.17 or a later release.
  • If an upgrade is not immediately possible, change file system permissions so that the OpenClaw process user cannot read sensitive files outside the configuration directory.
  • Monitor configuration files and system logs for unauthorized changes to the $include directive.

Generated by OpenCVE AI on March 17, 2026 at 16:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-56pc-6hvp-4gv4 OpenClaw vulnerable to arbitrary file read via $include directive
History

Mon, 16 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

Wed, 11 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directive resolution that allows reading arbitrary local files outside the config directory boundary. Attackers with config modification capabilities can exploit this by specifying absolute paths, traversal sequences, or symlinks to access sensitive files readable by the OpenClaw process user, including API keys and credentials.
Title OpenClaw < 2026.2.17 - Arbitrary File Read via $include Directive Path Traversal
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-22
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*
cpe:2.3:a:openclaw:openclaw:2026.2.17:*:*:*:*:*:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-11T14:37:31.749Z

Reserved: 2026-03-10T19:51:58.637Z

Link: CVE-2026-32061

cve-icon Vulnrichment

Updated: 2026-03-11T14:37:26.875Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T14:16:28.140

Modified: 2026-03-16T18:00:12.163

Link: CVE-2026-32061

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:37:15Z

Weaknesses