CVE-2026-62229
OpenClaw · OpenClaw
A path traversal vulnerability exists in OpenClaw, allowing authenticated attackers to access or manipulate restricted files through improper glob matching.
Executive summary
An improper path validation vulnerability in OpenClaw exposes the application to path traversal attacks, potentially leading to unauthorized data access.
Vulnerability
This vulnerability involves improper limitation of a pathname to a restricted directory (CWE-22), specifically triggered by flaws in glob matching logic. The vulnerability requires the attacker to have low-level privileges (PR:L) to initiate the traversal.
Business impact
The ability to perform path traversal can enable an attacker to read sensitive configuration files or access restricted system directories. This unauthorized access compromises the confidentiality and integrity of the application environment. Given the High CVSS score of 8.8, the business risk includes potential data exfiltration and the compromise of sensitive credentials stored within the application path.
Remediation
Immediate Action: Upgrade OpenClaw to version 2026.5.18 or higher to resolve the path validation flaw.
Proactive Monitoring: Inspect server logs for evidence of directory traversal attempts, such as requests containing sequences like ../ or unexpected glob pattern characters in file paths.
Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block malicious path traversal attempts and restrict file system access permissions for the application service user.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Organizations should treat this path traversal vulnerability with high urgency. Applying the vendor-provided update is the only effective way to remediate this flaw and prevent unauthorized access to sensitive system resources.