CVE-2026-26329 Overview
CVE-2026-26329 is a path traversal vulnerability in OpenClaw, a personal AI assistant application. Prior to version 2026.2.14, authenticated attackers can read arbitrary files from the Gateway host by supplying absolute paths or path traversal sequences to the browser tool's upload action. The server passed these paths directly to Playwright's setInputFiles() APIs without restricting them to a safe root directory.
Critical Impact
Authenticated attackers can exfiltrate sensitive files from the Gateway host, including configuration files, credentials, and other confidential data by exploiting the unvalidated file path handling in the browser tool.
Affected Products
- OpenClaw versions prior to 2026.2.14
- OpenClaw Gateway with browser tool enabled
- Deployments exposing Gateway beyond loopback (LAN/tailnet/custom bind, reverse proxy, tunnels)
Discovery Timeline
- 2026-02-20 - CVE-2026-26329 published to NVD
- 2026-02-20 - Last updated in NVD database
Technical Details for CVE-2026-26329
Vulnerability Analysis
This path traversal vulnerability (CWE-22) exists in OpenClaw's browser tool component, specifically in the upload action functionality. The vulnerability enables authenticated users to bypass intended directory restrictions and access files outside the designated upload directory by crafting malicious file paths containing traversal sequences like ../ or by specifying absolute paths.
The exploitation requires an attacker to have valid Gateway authentication (bearer token or password) and the browser tool permitted by tool policy for the target session. While the default configuration binds the Gateway to loopback, deployments that expose the Gateway beyond loopback significantly increase the attack surface and potential impact of this vulnerability.
Root Cause
The root cause lies in insufficient input validation when processing file paths provided to the browser tool's upload functionality. The application directly passed user-supplied paths to Playwright's setInputFiles() APIs without implementing proper path canonicalization or confinement checks. This allowed attackers to escape the intended upload directory and access arbitrary files on the filesystem accessible to the Gateway process.
Attack Vector
The attack is network-based and requires low privileges (authenticated access). An attacker must:
- Reach the Gateway HTTP surface or invoke browser control hook endpoints
- Present valid Gateway authentication credentials
- Have the browser tool permitted by tool policy for the session
- Supply malicious paths containing traversal sequences (e.g., ../../etc/passwd) or absolute paths to the upload action
The security patch introduces the resolvePathWithinRoot() function in src/browser/paths.ts to properly validate and confine paths:
+import path from "node:path";
+import { resolvePreferredOpenClawTmpDir } from "../infra/tmp-openclaw-dir.js";
+
+export const DEFAULT_BROWSER_TMP_DIR = resolvePreferredOpenClawTmpDir();
+export const DEFAULT_TRACE_DIR = DEFAULT_BROWSER_TMP_DIR;
+export const DEFAULT_DOWNLOAD_DIR = path.join(DEFAULT_BROWSER_TMP_DIR, "downloads");
+export const DEFAULT_UPLOAD_DIR = path.join(DEFAULT_BROWSER_TMP_DIR, "uploads");
+
+export function resolvePathWithinRoot(params: {
+ rootDir: string;
+ requestedPath: string;
+ scopeLabel: string;
+ defaultFileName?: string;
+}): { ok: true; path: string } | { ok: false; error: string } {
+ const root = path.resolve(params.rootDir);
+ const raw = params.requestedPath.trim();
+ if (!raw) {
+ if (!params.defaultFileName) {
+ return { ok: false, error: "path is required" };
+ }
+ return { ok: true, path: path.join(root, params.defaultFileName) };
+ }
+ const resolved = path.resolve(root, raw);
+ const rel = path.relative(root, resolved);
+ if (!rel || rel.startsWith("..") || path.isAbsolute(rel)) {
+ return { ok: false, error: `Invalid path: must stay within ${params.scopeLabel}` };
+ }
+ return { ok: true, path: resolved };
+}
Source: GitHub Commit
Detection Methods for CVE-2026-26329
Indicators of Compromise
- Unusual file access patterns in Gateway logs showing paths with ../ sequences
- Access attempts to sensitive system files (e.g., /etc/passwd, /etc/shadow, configuration files) via the browser tool
- Authentication followed by file upload requests containing absolute paths
- Abnormal file read operations outside the designated DEFAULT_UPLOAD_DIR directory
Detection Strategies
- Implement log analysis rules to detect path traversal patterns in upload action requests
- Monitor for requests to the browser tool endpoints containing ../, ..\\, or absolute path prefixes
- Deploy web application firewall (WAF) rules to block common path traversal sequences
- Audit Gateway access logs for authenticated sessions accessing unexpected file paths
Monitoring Recommendations
- Enable verbose logging on OpenClaw Gateway to capture all file path requests
- Configure alerts for failed path resolution attempts that may indicate exploitation attempts
- Monitor filesystem access patterns for the OpenClaw process to detect unauthorized file reads
- Review authentication logs for suspicious token usage patterns preceding file access anomalies
How to Mitigate CVE-2026-26329
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.14 or later immediately
- Restrict Gateway binding to loopback only if external access is not required
- Review and tighten tool policy to limit browser tool access to trusted sessions
- Audit logs for any historical exploitation attempts before patching
- Rotate Gateway authentication tokens as a precautionary measure
Patch Information
The vulnerability is fixed in OpenClaw version 2026.2.14. The patch implements the resolvePathWithinRoot() function that properly validates all upload paths, ensuring they are confined to the DEFAULT_UPLOAD_DIR directory. Traversal sequences and absolute paths that would escape this root are now rejected. The security fix can be reviewed in the GitHub Security Advisory GHSA-cv7m-c9jx-vg7q and the associated commit.
Workarounds
- Disable the browser tool via tool policy configuration until patching is possible
- Ensure Gateway is bound to loopback only and not exposed beyond localhost
- Implement network-level access controls to restrict Gateway access to trusted sources
- Deploy reverse proxy rules to filter requests containing path traversal patterns
# Configuration example - Restrict Gateway to loopback only
# In openclaw configuration file
gateway:
bind: "127.0.0.1"
port: 8080
# Disable browser tool in tool policy
tools:
browser:
enabled: false
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
