GHSA-hggm-x7r9-mm7v

Suggest an improvement
Source
https://github.com/advisories/GHSA-hggm-x7r9-mm7v
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-hggm-x7r9-mm7v/GHSA-hggm-x7r9-mm7v.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hggm-x7r9-mm7v
Aliases
  • CVE-2026-32846
Downstream
Published
2026-03-26T18:31:41Z
Modified
2026-06-08T20:30:57.103545277Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
OpenClaw is vulnerable to Path Traversal through path validation bypass
Details

OpenClaw through 2026.3.23 (fixed in commit 4797bbc) contains a path traversal vulnerability in media parsing that allows attackers to read arbitrary files by bypassing path validation in the isLikelyLocalPath() and isValidMedia() functions. Attackers can exploit incomplete validation and the allowBareFilename bypass to reference files outside the intended application sandbox, resulting in disclosure of sensitive information including system files, environment files, and SSH keys.

Database specific
{
    "github_reviewed_at": "2026-03-30T13:29:48Z",
    "nvd_published_at": "2026-03-26T17:16:37Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "HIGH"
}
References

Affected packages

npm / openclaw

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2026.03.28

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-hggm-x7r9-mm7v/GHSA-hggm-x7r9-mm7v.json"
last_known_affected_version_range
"<= 2026.3.23"