CVE-2026-26329 in OpenClaw
Summary
by MITRE • 02/20/2026
OpenClaw is a personal AI assistant. Prior to version 2026.2.14, authenticated attackers can read arbitrary files from the Gateway host by supplying absolute paths or path traversal sequences to the browser tool's `upload` action. The server passed these paths to Playwright's `setInputFiles()` APIs without restricting them to a safe root. An attacker must reach the Gateway HTTP surface (or otherwise invoke the same browser control hook endpoints); present valid Gateway auth (bearer token / password), as required by the Gateway configuration (In common default setups, the Gateway binds to loopback and the onboarding wizard generates a gateway token even for loopback); and have the `browser` tool permitted by tool policy for the target session/context (and have browser support enabled). If an operator exposes the Gateway beyond loopback (LAN/tailnet/custom bind, reverse proxy, tunnels, etc.), the impact increases accordingly. Starting in version 2026.2.14, the upload paths are now confined to OpenClaw's temp uploads root (`DEFAULT_UPLOAD_DIR`) and traversal/escape paths are rejected.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/22/2026
The vulnerability identified as CVE-2026-26329 affects OpenClaw, a personal AI assistant platform, exposing a critical path traversal flaw in its browser tool functionality. This vulnerability exists in versions prior to 2026.2.14 and represents a significant security risk that allows authenticated attackers to access arbitrary files on the Gateway host system. The flaw specifically impacts the browser tool's upload action implementation where absolute paths or path traversal sequences are processed without proper sanitization or restriction mechanisms. The technical implementation passes these unvalidated paths directly to Playwright's setInputFiles() APIs, which are designed for browser automation but lack the necessary constraints to prevent directory traversal attacks.
The operational impact of this vulnerability extends beyond simple file reading capabilities, as it enables attackers with valid authentication credentials to potentially access sensitive system files, configuration data, or other confidential information stored on the Gateway host. The attack requires multiple prerequisites including access to the Gateway HTTP surface, valid authentication through bearer tokens or passwords, and proper tool policy permissions for the browser tool within the target session context. These requirements suggest that the vulnerability is not easily exploitable from external networks, but rather represents a privilege escalation risk for authenticated users who already have access to the system. The default configuration typically binds the Gateway to loopback interfaces, making the initial attack vector more constrained but still potentially dangerous in environments where the Gateway is exposed beyond local network boundaries.
The vulnerability aligns with CWE-22 Path Traversal and CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component, specifically manifesting as a directory traversal attack that bypasses intended file access restrictions. From an adversarial perspective, this vulnerability maps to ATT&CK technique T1059 Command and Scripting Interpreter and T1566 Phishing, as attackers could potentially leverage this to access sensitive files or credentials stored on the system. The attack chain requires the operator to expose the Gateway beyond loopback interfaces, which increases the attack surface and potential impact significantly. When the Gateway is configured to accept connections from external networks through LAN, tailnet connections, reverse proxies, or tunneling mechanisms, the vulnerability becomes much more dangerous as it could potentially allow unauthorized access to the underlying host system from remote locations.
The remediation implemented in version 2026.2.14 addresses the core issue by confining all upload paths to OpenClaw's designated temporary uploads root directory and rejecting any traversal or escape attempts. This approach follows the principle of least privilege and defense in depth by implementing proper input validation and path restriction mechanisms. The fix ensures that even if malicious input is provided, it cannot escape the designated upload directory, effectively neutralizing the path traversal vulnerability. Security operators should verify that their deployments are updated to version 2026.2.14 or later and review their Gateway exposure settings to ensure that the default loopback binding is maintained unless explicit external access is required. Additionally, organizations should implement network segmentation and access controls to minimize the potential impact of any remaining vulnerabilities in the system architecture.