Description

OpenClaw through 2026.3.23 (fixed in commit 4797bbc) contains a path traversal vulnerability in media parsing that allows attackers to read arbitrary files by bypassing path validation in the isLikelyLocalPath() and isValidMedia() functions. Attackers can exploit incomplete validation and the allowBareFilename bypass to reference files outside the intended application sandbox, resulting in disclosure of sensitive information including system files, environment files, and SSH keys.

INFO

Published Date :

2026-03-26T16:36:00.657Z

Last Modified :

2026-03-27T14:43:07.620Z

Source :

VulnCheck
AFFECTED PRODUCTS

The following products are affected by CVE-2026-32846 vulnerability.

Vendors Products
Openclaw
  • Openclaw
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-32846.

URL Resource
https://github.com/openclaw/openclaw/commit/4797bbc5b96e2cca5532e43b58915c051746fe37 cve-icon cve-icon
https://github.com/openclaw/openclaw/pull/54642 cve-icon cve-icon cve-icon
https://github.com/openclaw/openclaw/security/advisories/GHSA-f6pf-4gjx-c94r cve-icon cve-icon
https://www.vulncheck.com/advisories/openclaw-media-parsing-path-traversal-to-arbitrary-file-read cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact