CVE-2026-44111
Arbitrary File Read in OpenClaw QMD Backend
Publication date: 2026-05-06
Last updated on: 2026-05-07
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.4.15 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-183 | The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the QMD backend's memory_get function allowing arbitrary read of Markdown files within the workspace root by bypassing path restrictions.
Detection would require verifying if the memory_get function is accessible and being used to read Markdown files outside canonical or indexed memory paths.
Since exploitation requires access to the memory tool, you can check for unusual or unauthorized calls to memory_get or attempts to read Markdown files outside expected directories.
Specific commands are not provided in the resources, but general approaches include:
- Monitoring logs or audit trails for calls to memory_get or file reads of *.md files outside canonical memory paths.
- Using file integrity monitoring tools to detect unexpected access to Markdown files in the workspace root.
- Searching for processes or scripts invoking memory_get with arbitrary paths.
Can you explain this vulnerability to me?
This vulnerability exists in OpenClaw versions before 2026.4.15 and involves an arbitrary file read issue in the QMD backend memory_get function.
It allows attackers who have access to the memory tool to bypass path restrictions by specifying arbitrary Markdown file paths within the workspace root.
As a result, attackers can read Markdown files outside the intended canonical memory locations or indexed QMD result sets.
How can this vulnerability impact me? :
The vulnerability can allow an attacker with limited privileges (access to the memory tool) to read arbitrary Markdown files within the workspace.
This could lead to unauthorized disclosure of sensitive or confidential information stored in those files.
However, the overall impact is limited by the requirement that the attacker must already have some level of access (privileged user with access to the memory tool).
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to update OpenClaw to version 2026.4.15 or later, where the vulnerability has been fixed.
The fix restricts the memory_get function to only allow reads of canonical memory files and exact paths of active indexed QMD workspace documents, preventing arbitrary Markdown file reads.
Until the update can be applied, limit access to the memory tool to trusted users only, as exploitation requires access to this tool.
Review and enforce workspace file access policies to prevent unauthorized reading of Markdown files.