CVE-2026-53825 Overview
CVE-2026-53825 is a path traversal vulnerability [CWE-22] in OpenClaw versions before 2026.4.7. The flaw resides in the memory-wiki ingest feature exposed through the Gateway. Authenticated operators holding the operator.write scope can supply arbitrary local file paths to the ingest endpoint. OpenClaw then reads those files and imports their contents into wiki memory, bypassing the intended ingest source restrictions.
The vulnerability enables attackers with valid operator credentials to exfiltrate sensitive files from the host filesystem. Targets include configuration files, secrets, keys, and other artifacts accessible to the OpenClaw process.
Critical Impact
Authenticated operators with operator.write scope can read arbitrary local files on the OpenClaw host, exposing credentials, configuration data, and other sensitive content.
Affected Products
- OpenClaw (Node.js distribution) versions prior to 2026.4.7
- Deployments exposing the Gateway memory-wiki ingest endpoint
- Environments granting third-party identities the operator.write scope
Discovery Timeline
- 2026-06-12 - CVE-2026-53825 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-53825
Vulnerability Analysis
The vulnerability lives in the memory-wiki ingest pipeline of the OpenClaw Gateway. The ingest endpoint accepts a source identifier from authenticated callers and pulls its content into wiki memory. The implementation does not constrain the source to the configured ingest catalog. An attacker authenticated with the operator.write scope can substitute a local filesystem path for the expected source reference.
OpenClaw resolves the path with the privileges of the runtime process and returns the file body inside the wiki document. This converts a write-scoped feature into an arbitrary read primitive. Sensitive targets include /etc/passwd, application configuration, API tokens, and any private keys mounted into the container.
The issue is exploitable over the network against any exposed Gateway. It does not require user interaction or elevated privileges beyond a standard operator token. See the VulnCheck Advisory on OpenClaw for additional technical context.
Root Cause
The ingest handler trusts caller-supplied source paths without validating that they resolve inside the allow-listed ingest sources. There is no canonicalization check and no scope-aware filesystem boundary, which classifies the defect as [CWE-22] Path Traversal.
Attack Vector
An attacker obtains or compromises an operator token carrying the operator.write scope. The attacker then issues an ingest request to the Gateway specifying a local file path as the ingest source. OpenClaw reads the file and stores it as a wiki document, which the attacker subsequently retrieves through normal wiki read operations.
No verified public proof-of-concept is available. Refer to the GitHub Security Advisory GHSA-p2fh-f5fc-44hr for vendor-provided technical detail.
Detection Methods for CVE-2026-53825
Indicators of Compromise
- Memory-wiki ingest requests whose source parameter contains filesystem paths, file:// URIs, or directory traversal sequences such as ..//
- Newly created wiki documents containing content from sensitive system files like /etc/passwd, .env, or private key material
- Spikes in operator.write API calls originating from unexpected IP addresses or service accounts
Detection Strategies
- Inspect Gateway access logs for ingest endpoint calls that reference absolute paths or local filesystem schemes
- Correlate operator token usage with ingest activity to surface tokens issuing anomalous ingest volumes
- Diff wiki document contents against expected ingest sources to identify documents sourced from outside the configured catalog
Monitoring Recommendations
- Forward OpenClaw Gateway logs to a centralized analytics platform and alert on ingest sources that fail allow-list validation
- Track per-token ingest baselines and trigger alerts when an operator deviates from historical patterns
- Monitor filesystem access on OpenClaw hosts for reads of credential, key, and configuration files performed by the OpenClaw process
How to Mitigate CVE-2026-53825
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.7 or later on every Gateway instance
- Rotate any operator tokens, API keys, and secrets that may have been accessible to the OpenClaw process
- Audit existing wiki memory for documents whose content matches sensitive host files and purge them
- Restrict the operator.write scope to a minimum set of trusted identities until patching is complete
Patch Information
The OpenClaw maintainers released the fix in version 2026.4.7. Patch details and remediation guidance are published in the GitHub Security Advisory GHSA-p2fh-f5fc-44hr. Apply the upgrade through the standard package manager update path used in your deployment.
Workarounds
- Disable the memory-wiki ingest feature on Gateways that cannot be upgraded immediately
- Place the Gateway behind a reverse proxy that rejects ingest requests containing absolute paths or traversal sequences
- Run the OpenClaw process under a dedicated low-privilege user with filesystem access scoped strictly to the ingest source directory
- Revoke operator.write from automation accounts that do not require wiki ingest capability
# Configuration example: upgrade OpenClaw and restrict process filesystem access
npm install -g openclaw@2026.4.7
# Run OpenClaw under a dedicated unprivileged account with a chroot-style data root
sudo useradd --system --home /var/lib/openclaw --shell /usr/sbin/nologin openclaw
sudo chown -R openclaw:openclaw /var/lib/openclaw
sudo -u openclaw OPENCLAW_INGEST_ROOT=/var/lib/openclaw/ingest openclaw start
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
