PT-2026-26016 · Openclaw · Openclaw

Baozongwixd

Publicado

2026-02-25

Atualizado

2026-03-31

CVE-2026-27522

CVSS v4.0

8.7

Alta

Vetor

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.24

Description OpenClaw versions before 2026.2.24 contain a local media root bypass in the sendAttachment and setGroupIcon message actions when sandboxRoot is not configured. This allows attackers to read arbitrary host files accessible by the runtime user by hydrating media from local absolute paths. The vulnerability occurs because of bypassed local media root checks when sandboxRoot is unset.

Recommendations Upgrade to OpenClaw version 2026.2.24 or later.

Correção

Path traversal

Information Disclosure

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-22CWE-200

Identificadores relacionados

BDU:2026-05061

CVE-2026-27522

GHSA-FQCM-97M6-W7RM

Produtos afetados

Openclaw

PT-2026-26016 · Openclaw · Openclaw

CVE-2026-27522

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 13