Path traversal in OpenClaw - CVE-2026-26329
Published: May 4, 2026
Vulnerability identifier: #VU129472
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-26329
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to path traversal in the browser upload action when handling upload paths supplied to the browser tool. A remote user can supply absolute paths or path traversal sequences to read arbitrary files from the Gateway host and disclose sensitive information.
Exploitation requires valid Gateway authentication and access to the browser tool or the same browser control hook endpoints.
How to mitigate CVE-2026-26329
Install security update from vendor's website.