Vulnerability Report

CVE-2026-32846

Title: Path Traversal in Media Parsing

Arbitrary File Access

Proof Of Concept

No public PoC currently indexed for CVE-2026-32846.

CWE Category CWE-22

Published Date Mar 26, 2026

Modified Date May 20, 2026

Exploit Status Not Found

Score 8.7 CVSS v4.0

Exploit Probability (EPSS)

0.69%

Vulnerability Summary

CVE-2026-32846: OpenClaw before 2026.3.28 contains a path traversal vulnerability in media parsing that allows attackers to read arbitrary files by bypassing path validation in the isLikelyLocalPath() and isValidMedia() functions. Attackers can exploit incomplete validation and the allowBareFilename bypass to reference files outside the intended application sandbox, resulting in disclosure of sensitive information including system files, environment files, and SSH keys.

Impacted Vendors

openclaw 1

Reference Links

https://github.com/openclaw/openclaw/commit/4797bbc5b96e2cca5532e43b58915c051746fe37 https://github.com/openclaw/openclaw/pull/54642 https://github.com/openclaw/openclaw/security/advisories/GHSA-f6pf-4gjx-c94r https://www.vulncheck.com/advisories/openclaw-media-parsing-path-traversal-to-arbitrary-file-read

CVSS v4.0

Source Entity [email protected]

Severity HIGH

8.7

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

N/A

RAW VECTOR

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS v3.1