PT-2026-35618 · Npm · Openclaw
Published
2026-04-17
·
Updated
2026-04-17
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
Summary
The QMD backend
memory get read path accepted arbitrary workspace Markdown paths that were inside the workspace but outside the canonical memory locations or indexed QMD result set.Impact
When the QMD backend was enabled, a caller with access to
memory get could read arbitrary *.md files under the configured workspace root, even when those files were not canonical memory files and had not been returned by QMD search. Severity remains low because exploitation requires access to the memory tool surface and is limited to workspace Markdown files, but it bypassed the intended memory-path policy.Affected versions
- Affected:
< 2026.4.15 - Patched:
2026.4.15
Fix
OpenClaw
2026.4.15 restricts QMD reads to canonical memory paths or previously indexed QMD workspace paths. Workspace containment alone is no longer sufficient.Verified in
v2026.4.15:extensions/memory-core/src/memory/qmd-manager.tsrejects non-default workspace Markdown paths unless they match an indexed QMD workspace read path.extensions/memory-core/src/memory/qmd-manager.test.tscovers QMD session search-result reads and the read-path restriction behavior.
Fix commit included in
v2026.4.15 and absent from v2026.4.14:37d5971db36491d5050efd42c333cbe0b98ed292via PR #66026
Thanks to @zsxsoft, Keen Security Lab, and @qclawer for reporting this issue.
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw