CVE-2026-43577
Analyzed Analyzed - Analysis Complete

Path Traversal in OpenClaw via CDP Origin Bypass

Vulnerability report for CVE-2026-43577, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-06

Last updated on: 2026-05-07

Assigner: VulnCheck

Description

OpenClaw before 2026.4.9 contains a file read vulnerability allowing attackers to bypass navigation guards through browser act/evaluate interactions. Attackers can pivot into the local CDP origin and create or read disallowed file:// pages despite direct navigation policy restrictions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-06
Last Modified
2026-05-07
Generated
2026-07-06
AI Q&A
2026-05-07
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.4.9 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

There is no specific information provided about detection methods or commands to identify this vulnerability on your network or system.

Executive Summary

This vulnerability exists in OpenClaw versions before 2026.4.9 and involves a file read flaw. It allows attackers to bypass navigation guards by exploiting browser act/evaluate interactions. Through this, attackers can access the local CDP origin and create or read file:// pages that should be restricted by direct navigation policies.

Impact Analysis

The vulnerability can allow attackers to read or create local files that are normally protected by navigation restrictions. This could lead to unauthorized access to sensitive local data or manipulation of local files, potentially compromising the security and privacy of the affected system.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade OpenClaw to version 2026.4.9 or later, such as [email protected], where the issue has been fixed.

The fix involves re-checking browser URLs after interaction-driven navigations to block targets violating navigation policies, preventing unauthorized file access.

Users are advised to apply this update promptly to reduce the risk of attackers bypassing navigation guards and accessing disallowed file:// pages.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43577. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart