CVE-2026-32846

Name of the Vulnerable Software and Affected Versions OpenClaw versions through 2026.3.23

Description The software contains a path traversal issue in media parsing. This allows attackers to read arbitrary files by bypassing path validation in the isLikelyLocalPath() and isValidMedia() functions. The incomplete validation and the allowBareFilename bypass enable attackers to reference files outside the intended application sandbox, potentially disclosing sensitive information such as system files, environment files, and SSH keys.

Recommendations Update to a version after commit 4797bbc to resolve the issue.