PT-2026-24671 · Git+2 · Openclaw
Aether Ai
·
Published
2026-03-03
·
Updated
2026-03-21
·
CVE-2026-32061
CVSS v4.0
6.7
Medium
| Vector | AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
OpenClaw versions prior to 2026.2.17
Description
OpenClaw versions prior to 2026.2.17 contain a path traversal flaw in the
$include directive resolution. This allows reading arbitrary local files outside the configuration directory boundary. An attacker with the ability to modify OpenClaw configuration files can exploit this by specifying absolute paths, traversal sequences, or symbolic links to access sensitive files readable by the OpenClaw process user, including API keys and credentials. The impact is limited by the file permissions of the OpenClaw runtime user. The vulnerability exists due to improper handling of the $include directive.Recommendations
Update OpenClaw to version 2026.2.17 or later.
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw