CVE-2026-26329 – OpenClaw personal AI assistant versions before ... (How to Fix)

Q: What is the severity of CVE-2026-26329?

CVE-2026-26329 has a CVSS score of 6.5 (MEDIUM). OpenClaw personal AI assistant versions before 2026.2.14 allow authenticated attackers to read arbitrary files from the Gateway host via path traversal in the browser tool's upload function. This affects systems where the Gateway is exposed beyond localhost and attackers have valid authentication tokens. The vulnerability occurs because the server passes user-supplied paths to Playwright's setInputFiles() API without proper path restriction.

📋 TL;DR

OpenClaw personal AI assistant versions before 2026.2.14 allow authenticated attackers to read arbitrary files from the Gateway host via path traversal in the browser tool's upload function. This affects systems where the Gateway is exposed beyond localhost and attackers have valid authentication tokens. The vulnerability occurs because the server passes user-supplied paths to Playwright's setInputFiles() API without proper path restriction.

💻 Affected Systems

Products:

OpenClaw

Versions: All versions prior to 2026.2.14

Operating Systems: All platforms running OpenClaw

Default Config Vulnerable: ⚠️ Yes

Notes: Default configuration binds Gateway to loopback, but the onboarding wizard generates gateway tokens even for loopback access. Vulnerability requires: 1) Gateway HTTP surface access, 2) Valid Gateway authentication, 3) Browser tool permission in target session.

📦 What is this software?

Openclaw by Openclaw

View all CVEs affecting Openclaw →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers with valid authentication can read sensitive system files (passwords, configuration files, SSH keys) from the Gateway host, potentially leading to full system compromise.

🟠

Likely Case

Authenticated users with browser tool access can read files within the Gateway host's filesystem, potentially accessing sensitive application data or configuration files.

🟢

If Mitigated

If Gateway is bound to loopback only and proper authentication controls are in place, impact is limited to local authenticated users.

🌐 Internet-Facing: HIGH - If Gateway is exposed to the internet, authenticated attackers can read arbitrary files from the host system.

🏢 Internal Only: MEDIUM - Even on internal networks, authenticated users with browser tool access can exploit this vulnerability to read sensitive files.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Exploitation requires sending crafted paths to the upload endpoint with valid authentication.

Exploitation requires authenticated access and browser tool permissions. Path traversal sequences or absolute paths can be supplied to the upload action.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2026.2.14

Vendor Advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-cv7m-c9jx-vg7q

Restart Required: Yes

Instructions:

1. Update OpenClaw to version 2026.2.14 or later. 2. Restart the OpenClaw service. 3. Verify the update by checking the version. The fix confines upload paths to OpenClaw's temp uploads root and rejects traversal/escape paths.

🔧 Temporary Workarounds

Restrict Gateway Binding

all

Ensure Gateway only binds to loopback interface (127.0.0.1/localhost) to prevent network access.

Check Gateway configuration for bind address settings
Ensure bind address is set to 127.0.0.1 or localhost only

Disable Browser Tool

all

Remove browser tool from tool policy for all sessions/contexts if not required.

Modify OpenClaw tool policy configuration to exclude browser tool

🧯 If You Can't Patch

Restrict Gateway to loopback binding only and implement strict network access controls
Implement strong authentication controls and regularly rotate gateway tokens

🔍 How to Verify

Check if Vulnerable:

Check OpenClaw version. If version is earlier than 2026.2.14, the system is vulnerable.

Check Version:

Check OpenClaw version in application interface or configuration files

Verify Fix Applied:

After updating to 2026.2.14 or later, test that supplying absolute paths or path traversal sequences to the upload action returns an error instead of reading files.

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns via browser tool upload
Failed authentication attempts to Gateway endpoints
Path traversal patterns in upload requests

Network Indicators:

HTTP requests to Gateway upload endpoints with path traversal sequences
Unusual file read patterns from Gateway host

SIEM Query:

source="openclaw" AND (path:*../* OR path:*\\* OR path:"/etc/" OR path:"/root/") AND action="upload"

📊 Metadata

CVE ID: CVE-2026-26329

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

Published: February 20, 2026

Last Updated: February 20, 2026

🔗 References

https://github.com/openclaw/openclaw/commit/3aa94afcfd12104c683c9cad81faf434d0dadf87 Patch
https://github.com/openclaw/openclaw/releases/tag/v2026.2.14 Product,Release Notes
https://github.com/openclaw/openclaw/security/advisories/GHSA-cv7m-c9jx-vg7q Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-26329, you might also want to check these: