CVE-2026-26329
Received Received - Intake
Path Traversal in OpenClaw Gateway Allows Arbitrary File Access

Publication date: 2026-02-20

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
OpenClaw is a personal AI assistant. Prior to version 2026.2.14, authenticated attackers can read arbitrary files from the Gateway host by supplying absolute paths or path traversal sequences to the browser tool's `upload` action. The server passed these paths to Playwright's `setInputFiles()` APIs without restricting them to a safe root. An attacker must reach the Gateway HTTP surface (or otherwise invoke the same browser control hook endpoints); present valid Gateway auth (bearer token / password), as required by the Gateway configuration (In common default setups, the Gateway binds to loopback and the onboarding wizard generates a gateway token even for loopback); and have the `browser` tool permitted by tool policy for the target session/context (and have browser support enabled). If an operator exposes the Gateway beyond loopback (LAN/tailnet/custom bind, reverse proxy, tunnels, etc.), the impact increases accordingly. Starting in version 2026.2.14, the upload paths are now confined to OpenClaw's temp uploads root (`DEFAULT_UPLOAD_DIR`) and traversal/escape paths are rejected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-02-20
Generated
2026-06-10
AI Q&A
2026-02-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-26329
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.2.14 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-26329 is a path traversal vulnerability in the OpenClaw personal AI assistant prior to version 2026.2.14. Authenticated attackers can exploit the browser tool's upload action by supplying absolute paths or path traversal sequences. These paths are passed unchecked to Playwright's setInputFiles() API, allowing attackers to read arbitrary files from the Gateway host filesystem. To exploit this, an attacker must have valid Gateway authentication and permission to use the browser tool in the target session. The vulnerability arises because the server does not restrict file upload paths to a safe directory, enabling attackers to escape the intended upload root and access sensitive files."}] [2]

Impact Analysis

This vulnerability allows an authenticated attacker to read arbitrary files on the Gateway host, potentially exposing sensitive or confidential information stored on the system. If the Gateway is exposed beyond the local loopback interface (such as on a LAN, through reverse proxies, tunnels, or tailnet), the risk and impact increase significantly. Attackers can exfiltrate file contents via browser JavaScript or snapshots, leading to confidentiality breaches and unauthorized data disclosure.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring for unauthorized or suspicious POST requests to the Gateway HTTP interface, specifically targeting the browser tool's upload action."}, {'type': 'paragraph', 'content': 'Look for POST requests to the endpoint `/tools/invoke` with JSON payloads containing `{"tool":"browser","action":"upload", ...}` or requests to `/hooks/file-chooser` which are used to invoke the vulnerable upload functionality.'}, {'type': 'paragraph', 'content': 'Detection commands could include network traffic inspection or web server access log analysis filtering for these endpoints and payload patterns.'}, {'type': 'paragraph', 'content': 'Example commands to detect such activity might be:'}, {'type': 'list_item', 'content': 'Using grep on web server logs to find suspicious POST requests: `grep -i \'POST /tools/invoke\' /var/log/openclaw/access.log | grep \'"tool":"browser"\'`'}, {'type': 'list_item', 'content': 'Using tcpdump or Wireshark to capture HTTP POST requests to the Gateway port and filter for `/tools/invoke` or `/hooks/file-chooser` endpoints.'}, {'type': 'list_item', 'content': 'Checking for unexpected file read or upload activity in OpenClaw logs or monitoring for abnormal file access patterns on the Gateway host.'}] [2]

Mitigation Strategies

The primary mitigation is to upgrade OpenClaw to version 2026.2.14 or later, where the vulnerability is fixed by confining upload paths to a safe temporary uploads root and rejecting path traversal sequences.

Additional immediate steps include:

  • Ensure the Gateway HTTP interface is bound only to loopback interfaces and not exposed to LAN, tailnet, or the public internet.
  • Restrict access to the Gateway by enforcing strong authentication and limiting the use of the browser tool in tool policies.
  • If exposure beyond loopback is necessary, consider using secure reverse proxies with strict access controls.
  • Monitor and audit Gateway logs for suspicious upload or file access attempts.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26329. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart