Description
A vulnerability was identified in OpenClaw up to 2026.2.17. This issue affects the function tools.exec.safeBins of the component File Existence Handler. The manipulation leads to information exposure through discrepancy. The attack needs to be performed locally. Upgrading to version 2026.2.19-beta.1 is capable of addressing this issue. The identifier of the patch is bafdbb6f112409a65decd3d4e7350fbd637c7754. Upgrading the affected component is advised.
Published: 2026-03-12
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

The vulnerability resides in the tools.exec.safeBins function of the File Existence Handler component in OpenClaw. By manipulating the input, an attacker can cause the component to expose sensitive file existence information. This leads to information disclosure because an attacker may infer the presence or absence of protected files. The weakness is classified as CWE-200 and CWE-203, indicating an information exposure due to improper handling of file paths and discrepancy-based leakage.

Affected Systems

OpenClaw applications running any version up to and including 2026.2.17 are affected. The vulnerability is present in all builds of OpenClaw that include the File Existence Handler component, regardless of the underlying operating system or Node.js runtime as indicated by the CPE entries.

Risk and Exploitability

The CVSS score is 4.8, reflecting a moderate severity. The EPSS score is less than 1%, meaning exploitation is expected to be rare. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog, further reducing its public exploit likelihood. Exploitation requires local access to the system, so an attacker must already have some level of entry. Given the local scope and low exploit probability, the overall risk is low but not negligible for systems that handle confidential data.

Generated by OpenCVE AI on March 17, 2026 at 17:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading OpenClaw to version 2026.2.19-beta.1 (commit bafdbb6f112409a65decd3d4e7350fbd637c7754)
  • Verify the upgrade has been applied by checking the release notes or commit hash

Generated by OpenCVE AI on March 17, 2026 at 17:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6c9j-x93c-rw6j OpenClaw safeBins file-existence oracle information disclosure
History

Mon, 16 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

Thu, 12 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in OpenClaw up to 2026.2.17. This issue affects the function tools.exec.safeBins of the component File Existence Handler. The manipulation leads to information exposure through discrepancy. The attack needs to be performed locally. Upgrading to version 2026.2.19-beta.1 is capable of addressing this issue. The identifier of the patch is bafdbb6f112409a65decd3d4e7350fbd637c7754. Upgrading the affected component is advised.
Title OpenClaw File Existence tools.exec.safeBins information exposure
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-200
CWE-203
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:P/I:N/A:N/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-12T13:08:57.088Z

Reserved: 2026-03-12T06:46:15.510Z

Link: CVE-2026-4040

cve-icon Vulnrichment

Updated: 2026-03-12T13:08:10.108Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-12T12:15:59.990

Modified: 2026-03-16T18:06:44.927

Link: CVE-2026-4040

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:49:51Z

Weaknesses