Executive Summary

CVE-2026-32061 is a path traversal vulnerability in OpenClaw versions prior to 2026.2.17 that affects the $include directive resolution in configuration files.

This flaw allows attackers who have the ability to modify OpenClaw configuration files to specify absolute paths, directory traversal sequences (like ../../), or symbolic links to read arbitrary local files outside the intended configuration directory boundary.

As a result, attackers can access sensitive files readable by the OpenClaw process user, including API keys, credentials, and other private configuration data.

The vulnerability arises because the $include directive does not properly restrict file paths, enabling this unauthorized file read.

Useful 0 Not Useful 0

Impact Analysis

If exploited, this vulnerability can lead to unauthorized disclosure of sensitive local files accessible by the OpenClaw process user.

• Exposure of API keys
• Leakage of credentials
• Access to private configuration data

However, exploitation requires the attacker to have high privileges to modify configuration files, and the impact is limited by the file permissions of the OpenClaw runtime user.

This vulnerability is not exploitable remotely without local access or configuration modification capabilities.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your OpenClaw installation is a vulnerable version prior to 2026.2.17 and by inspecting configuration files for $include directives that specify absolute paths, directory traversal sequences (e.g., ../../), or symbolic links that point outside the intended configuration directory.'}, {'type': 'paragraph', 'content': 'Since the vulnerability requires the ability to modify configuration files, detection involves auditing configuration files for unsafe $include usage and verifying the OpenClaw version.'}, {'type': 'list_item', 'content': 'Check OpenClaw version: run `openclaw --version` or check the installed package version to confirm if it is prior to 2026.2.17.'}, {'type': 'list_item', 'content': "Search for unsafe $include directives in configuration files, for example: `grep -r '\\$include' /path/to/openclaw/config`."}, {'type': 'list_item', 'content': "Look for absolute paths or traversal sequences in includes, e.g., `grep -r '\\$include.*\\(\\/|\\.\\./\\)' /path/to/openclaw/config`."}, {'type': 'list_item', 'content': 'Check for symbolic links inside the config directory that could redirect includes outside the directory: `find /path/to/openclaw/config -type l -ls`.'}] [1, 2, 3]

Useful 0 Not Useful 0

Mitigation Strategies

The primary immediate mitigation step is to upgrade OpenClaw to version 2026.2.17 or later, where the vulnerability has been fixed by confining $include directive resolution strictly within the top-level configuration directory and enforcing symlink and path traversal checks.

If upgrading immediately is not possible, restrict and audit who has the ability to modify OpenClaw configuration files, as exploitation requires config modification privileges.

Additionally, review and sanitize all $include directives in configuration files to ensure they do not use absolute paths, directory traversal sequences, or symlinks that point outside the config directory.

• Apply the patch or update from the GitHub Security Advisory GHSA-56pc-6hvp-4gv4 or upgrade to OpenClaw 2026.2.17 or later.
• Limit configuration file write permissions to trusted users only.
• Remove or replace any unsafe $include directives that escape the config directory.

Useful 0 Not Useful 0