CVE-2026-44111 Overview
CVE-2026-44111 is an arbitrary file read vulnerability in OpenClaw versions before 2026.4.15. The flaw resides in the QMD backend memory_get function, which fails to constrain reads to canonical memory locations. Callers with access to the memory tool can supply arbitrary workspace Markdown paths and retrieve any .md file within the workspace root. The issue is tracked as [CWE-183] and is documented in the GitHub Security Advisory GHSA-f934-5rqf-xx47.
Critical Impact
Authenticated callers can bypass path restrictions in the QMD memory backend to read Markdown files outside the indexed memory set, exposing workspace content not intended for retrieval through the memory tool.
Affected Products
- OpenClaw versions prior to 2026.4.15
- OpenClaw extensions/memory-core QMD manager component
- Deployments exposing the QMD memory_get tool to low-privilege callers
Discovery Timeline
- 2026-05-06 - CVE-2026-44111 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-44111
Vulnerability Analysis
The vulnerability resides in the QMD memory backend that ships with OpenClaw's memory-core extension. The memory_get function accepts a path argument intended to identify a canonical memory entry. The implementation does not constrain that path to the indexed QMD result set or the canonical memory directory. As a result, any Markdown file located beneath the workspace root can be returned to the caller.
The issue is classified under [CWE-183] (Permissive List of Allowed Inputs). The function permits broader inputs than the documented memory namespace, treating arbitrary workspace .md files as valid memory entries. Confidentiality of workspace Markdown content is impacted, while integrity and availability are not.
Root Cause
The QMD manager resolved caller-supplied paths against the workspace root rather than against the canonical memory directory. Inputs that pointed to Markdown files outside indexed memory locations were accepted because the validation logic only checked containment within the workspace, not membership in the memory index.
Attack Vector
Exploitation requires network access to the OpenClaw instance and low privileges sufficient to invoke the memory tool. No user interaction is required. An attacker calls memory_get with a workspace-relative path pointing to a Markdown file outside the canonical memory set and receives the file contents in the response.
// Patch excerpt: extensions/memory-core/src/memory/qmd-manager.ts
// Align QMD memory reads with canonical memory paths (#66026)
resolveStateDir,
writeFileWithinRoot,
type OpenClawConfig,
- type ResolvedMemorySearchSyncConfig,
} from "openclaw/plugin-sdk/memory-core-host-engine-foundation";
import {
buildSessionEntry,
Source: GitHub commit 37d5971. The patch refactors QMD reads so they resolve through canonical memory path helpers instead of generic workspace path utilities.
Detection Methods for CVE-2026-44111
Indicators of Compromise
- Unexpected memory_get invocations referencing Markdown paths outside the canonical memory directory.
- QMD audit entries returning files that are not part of the indexed memory result set.
- Repeated memory_get calls iterating across workspace subdirectories from a single caller identity.
Detection Strategies
- Inspect OpenClaw application logs for memory_get requests where the resolved path falls outside the canonical memory directory.
- Correlate memory tool calls with the QMD index to flag reads of non-indexed Markdown files.
- Alert on caller identities issuing high volumes of memory_get requests targeting distinct paths.
Monitoring Recommendations
- Forward OpenClaw access and tool-invocation logs to a centralized SIEM for retention and review.
- Monitor file-system access on workspace roots for read patterns that match QMD service account activity outside expected directories.
- Track the deployed OpenClaw version and alert when instances run a release earlier than 2026.4.15.
How to Mitigate CVE-2026-44111
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.15 or later, which contains the canonical memory path fix.
- Restrict access to the QMD memory tool to trusted callers and remove unnecessary low-privilege grants.
- Audit workspace Markdown content for sensitive material and relocate or redact files that should not be reachable through the memory tool.
Patch Information
The fix is delivered in commit 37d5971db36491d5050efd42c333cbe0b98ed292, which aligns QMD memory reads with canonical memory paths. Additional context is available in the GitHub Security Advisory GHSA-f934-5rqf-xx47 and the VulnCheck advisory.
Workarounds
- Disable or gate the QMD memory_get tool until the patched release is deployed.
- Move sensitive Markdown content out of the workspace root used by OpenClaw.
- Apply network and authentication controls so only trusted identities can invoke memory tools.
# Verify the deployed OpenClaw version meets the patched baseline
openclaw --version
# Expected output: 2026.4.15 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
