PT-2026-24671 · Git+2 · Openclaw
Aether Ai
·
Publicado
2026-03-03
·
Atualizado
2026-03-21
·
CVE-2026-32061
CVSS v4.0
6.7
Média
| Vetor | AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
OpenClaw versions prior to 2026.2.17
Description
OpenClaw versions prior to 2026.2.17 contain a path traversal flaw in the
$include directive resolution. This allows reading arbitrary local files outside the configuration directory boundary. An attacker with the ability to modify OpenClaw configuration files can exploit this by specifying absolute paths, traversal sequences, or symbolic links to access sensitive files readable by the OpenClaw process user, including API keys and credentials. The impact is limited by the file permissions of the OpenClaw runtime user. The vulnerability exists due to improper handling of the $include directive.Recommendations
Update OpenClaw to version 2026.2.17 or later.
Correção
Path traversal
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Openclaw