Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.7
OpenClaw versions prior to 2026.2.17 allow attackers to read sensitive files.
GHSA-56pc-6hvp-4gv4
Summary
Old versions of OpenClaw can be tricked into reading files outside its normal settings folder. This can let an attacker with permission to edit settings access sensitive information, like API keys and passwords. To fix this, update to version 2026.2.17 or later.
What to do
- Update steipete openclaw to version 2026.2.17.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | <= 2026.2.17 | 2026.2.17 |
Original title
OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directive resolution that allows reading arbitrary local files outside the config directory boundary. Att...
Original description
OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directive resolution that allows reading arbitrary local files outside the config directory boundary. Attackers with config modification capabilities can exploit this by specifying absolute paths, traversal sequences, or symlinks to access sensitive files readable by the OpenClaw process user, including API keys and credentials.
ghsa CVSS4.0
6.9
Vulnerability type
CWE-22
Path Traversal
- https://github.com/openclaw/openclaw/security/advisories/GHSA-56pc-6hvp-4gv4
- https://github.com/openclaw/openclaw/commit/d1c00dbb7c64a39e205464dae7f2a068420e...
- https://github.com/advisories/GHSA-56pc-6hvp-4gv4
- https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-include-di...
- https://nvd.nist.gov/vuln/detail/CVE-2026-32061
Published: 3 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026