CVE-2026-32008

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.21

Description The software contains an improper URL scheme validation issue in the assertBrowserNavigationAllowed() function. Authenticated users with browser-tool access can navigate to file:// URLs, potentially allowing attackers to access local files readable by the OpenClaw process user through browser snapshot and extraction actions, leading to sensitive data exfiltration. The vulnerable component is located in src/browser/navigation-guard.ts. The issue arises because the assertBrowserNavigationAllowed() function only validated http: and https: network targets, implicitly allowing other schemes. An attacker with valid gateway credentials and browser-tool access can exfiltrate local files readable by the OpenClaw process user.

Recommendations OpenClaw versions prior to 2026.2.21 should be updated to version 2026.2.21 or later. Reject unsupported navigation schemes and allow only explicitly safe non-network URLs. OpenClaw now blocks non-network schemes (such as file:, data:, and javascript:) while preserving about:blank.