Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-26329

OpenClaw has a path traversal in browser upload allows local file read
Back to all
CVE

CVE-2026-26329

OpenClaw has a path traversal in browser upload allows local file read

Summary

Authenticated attackers can read arbitrary files from the Gateway host by supplying absolute paths or path traversal sequences to the browser tool's upload action. The server passed these paths to Playwright's setInputFiles() APIs without restricting them to a safe root.

Severity remains High due to the impact (arbitrary local file read on the Gateway host), even though exploitation requires authenticated access.

Exploitability / Preconditions

This is not a "drive-by" issue.

An attacker must:

  • Reach the Gateway HTTP surface (or otherwise invoke the same browser control hook endpoints).
  • Present valid Gateway auth (bearer token / password), as required by the Gateway configuration.
  • In common default setups, the Gateway binds to loopback and the onboarding wizard generates a gateway token even for loopback.
  • Have the browser tool permitted by tool policy for the target session/context (and have browser support enabled).

If an operator exposes the Gateway beyond loopback (LAN/tailnet/custom bind, reverse proxy, tunnels, etc.), the impact increases accordingly.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Vulnerable: < 2026.2.14 (includes latest published 2026.2.13)
  • Patched: >= 2026.2.14 (planned next release)

Details

Entry points:

  • POST /tools/invoke with {"tool":"browser","action":"upload",...}
  • POST /hooks/file-chooser (browser control hook)

When the upload paths are not validated, Playwright reads the referenced files from the local filesystem and attaches them to a page-level <input type="file">. Contents can then be exfiltrated by page JavaScript (e.g. via FileReader) or via agent/browser snapshots.

Impact: arbitrary local file read on the Gateway host (confidentiality impact).

Fix

Upload paths are now confined to OpenClaw's temp uploads root (DEFAULTUPLOADDIR) and traversal/escape paths are rejected.

This fix was implemented internally; the reporter provided a clear reproduction and impact analysis.

Fix commit(s):

  • 3aa94afcfd12104c683c9cad81faf434d0dadf87

Thanks @p80n-sec for reporting.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
7.1
-
4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
7.1
-
4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Related Resources

No items found.

References

https://github.com/openclaw/openclaw/security/advisories/GHSA-cv7m-c9jx-vg7q, https://nvd.nist.gov/vuln/detail/CVE-2026-26329, https://github.com/openclaw/openclaw/commit/3aa94afcfd12104c683c9cad81faf434d0dadf87, https://github.com/openclaw/openclaw, https://github.com/openclaw/openclaw/releases/tag/v2026.2.14

Severity

6.5

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
6.5
EPSS Probability
0.00015%
EPSS Percentile
0.03355%
Introduced Version
0,2026.2.2,2026.1.29-beta.1,2026.1.27-beta.1,2026.1.14-1,2026.1.4,2.0.0-beta3,2.0.0-beta2
Fix Available
2026.2.14

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading