CVE-2026-43533 Overview
CVE-2026-43533 is an arbitrary file read vulnerability affecting OpenClaw versions before 2026.4.10. The flaw resides in the QQBot extension's media tag handling, where outbound media processing fails to enforce a storage boundary. Attackers can craft reply text containing media tags that reference host-local file paths outside the intended media storage directory. The QQBot framework then reads those files and transmits their contents through the outbound media channel, disclosing arbitrary local files to remote recipients. The weakness is classified as relative path traversal [CWE-23] and is exploitable over the network without authentication or user interaction.
Critical Impact
Unauthenticated remote attackers can read arbitrary files on the host running OpenClaw, including configuration files, credentials, and bot tokens.
Affected Products
- OpenClaw (Node.js distribution) versions prior to 2026.4.10
- OpenClaw QQBot extension (extensions/qqbot/index.ts)
- Deployments exposing QQBot reply handling to untrusted message senders
Discovery Timeline
- 2026-05-05 - CVE-2026-43533 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-43533
Vulnerability Analysis
The vulnerability exists in the QQBot extension that ships with OpenClaw. The extension parses media tags inside reply text and resolves each tag to a local file path before forwarding the resource through QQ's outbound media APIs. The path resolver does not constrain the resulting path to the configured media storage directory. As a result, sequences such as ../ or absolute paths inside a media tag escape the intended boundary and resolve to arbitrary files on the host. The bot then reads those files and uploads them as outbound media, returning their contents to the attacker.
Root Cause
The root cause is missing path canonicalization and boundary enforcement on file references derived from attacker-controlled message content. The outbound media handler trusted the resolved path without verifying it remained within the media storage root. The fix introduces an explicit SendDocumentOptions type with an allowQQBotDataDownloads flag and centralizes the boundary check so that all outbound local file paths are validated before being read.
Attack Vector
An attacker sends a QQ message that triggers a bot reply containing a crafted media tag referencing a host-local path such as /etc/passwd or an application configuration file. When the bot composes its outbound reply, the QQBot extension resolves the tag, reads the targeted file, and uploads it as media to the conversation channel the attacker controls. No authentication, privilege, or user interaction is required.
// Patch excerpt: extensions/qqbot/index.ts
// fix(qqbot): enforce media storage boundary for all outbound local file paths
account: QQBotAccount;
logPrefix: string;
};
+type SendDocumentOptions = {
+ allowQQBotDataDownloads?: boolean;
+};
type QQBotFrameworkCommandResult =
| string
Source: GitHub commit 604777e. The patch introduces an explicit options type that gates whether local files outside the media storage root may be sent, and adds validation before any outbound file read.
Detection Methods for CVE-2026-43533
Indicators of Compromise
- Outbound QQBot media uploads referencing files outside the configured media storage directory.
- Reply text or message logs containing media tags with .., absolute paths, or references to system paths such as /etc, /proc, or application config directories.
- Unexpected reads of sensitive files (.env, config.json, private keys) by the OpenClaw process.
Detection Strategies
- Inspect QQBot reply logs for media tags whose resolved paths escape the configured media root.
- Monitor the OpenClaw process for open()/readFile() syscalls targeting paths outside its expected working directories.
- Alert on outbound media transmissions whose byte signatures match server-side configuration files or credential stores.
Monitoring Recommendations
- Enable verbose logging in the QQBot extension to record every resolved file path before transmission.
- Forward OpenClaw application logs and host filesystem audit events into a centralized analytics platform for correlation.
- Track the OpenClaw release version in asset inventories and flag any host running a build older than 2026.4.10.
How to Mitigate CVE-2026-43533
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.10 or later, which contains commit 604777e.
- Audit recent QQBot conversation logs for media tags containing path traversal sequences or absolute paths.
- Rotate any secrets, tokens, or credentials stored on hosts running vulnerable OpenClaw builds, since they may have been disclosed.
Patch Information
The upstream fix is published in the OpenClaw GitHub Security Advisory GHSA-66r7-m7xm-v49h and delivered in commit 604777e. Additional technical context is available in the VulnCheck advisory. The patch enforces the media storage boundary for every outbound local file path and introduces an opt-in allowQQBotDataDownloads flag for callers that legitimately need broader access.
Workarounds
- Disable the QQBot extension until the host is upgraded to 2026.4.10 or later.
- Restrict the OpenClaw process with filesystem isolation, for example by running it under a dedicated user with read access limited to the media storage directory.
- Place the OpenClaw service inside a container or chroot that excludes sensitive host paths from its mount namespace.
# Verify the installed OpenClaw version and upgrade if vulnerable
npm ls openclaw
npm install openclaw@">=2026.4.10"
# Optional: run OpenClaw with a restricted filesystem view via systemd
# /etc/systemd/system/openclaw.service.d/override.conf
[Service]
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/lib/openclaw/media
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
