SB2026052914 - Incorrect permission assignment for critical resource in OpenClaw

Security Bulletin ID SB2026052914

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Incorrect permission assignment for critical resource (CVE-ID: N/A)

CWE-ID: CWE-732 - Incorrect Permission Assignment for Critical Resource

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to incorrect permission assignment for critical resource in the memory-wiki ingest feature when handling plugin tool requests that specify local file paths. A remote user can supply an arbitrary local file path to disclose sensitive information.

Only the named feature and configuration are affected, and exploitation requires the feature to be enabled and reachable through the Gateway plugin tool with operator.write access.

Remediation

Install update from vendor's website.

References

https://github.com/openclaw/openclaw/security/advisories/GHSA-p2fh-f5fc-44hr