Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.7
OpenClaw versions before 2026.2.17: Access to sensitive files
CVE-2026-32061
Summary
Old versions of OpenClaw allow an attacker with permission to modify the config to access sensitive local files, such as API keys and credentials. This is a security risk because it could give an attacker access to confidential information. Update to version 2026.2.17 or later to fix this issue.
Original title
OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directive resolution that allows reading arbitrary local files outside the config directory boundary. Att...
Original description
OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directive resolution that allows reading arbitrary local files outside the config directory boundary. Attackers with config modification capabilities can exploit this by specifying absolute paths, traversal sequences, or symlinks to access sensitive files readable by the OpenClaw process user, including API keys and credentials.
nvd CVSS3.1
4.4
nvd CVSS4.0
6.7
Vulnerability type
CWE-22
Path Traversal
Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026