CVE-2026-26329

EPSS 0.02%

OpenClaw has a path traversal in browser upload allows local file read

發布日:2026/2/18修改日:2026/2/20
也稱為:GHSA-cv7m-c9jx-vg7q

描述

## Summary Authenticated attackers can read arbitrary files from the Gateway host by supplying absolute paths or path traversal sequences to the browser tool's `upload` action. The server passed these paths to Playwright's `setInputFiles()` APIs without restricting them to a safe root. Severity remains **High** due to the impact (arbitrary local file read on the Gateway host), even though exploitation requires authenticated access. ## Exploitability / Preconditions This is not a "drive-by" issue. An attacker must: - Reach the Gateway HTTP surface (or otherwise invoke the same browser control hook endpoints). - Present valid Gateway auth (bearer token / password), as required by the Gateway configuration. - In common default setups, the Gateway binds to loopback and the onboarding wizard generates a gateway token even for loopback. - Have the `browser` tool permitted by tool policy for the target session/context (and have browser support enabled). If an operator exposes the Gateway beyond loopback (LAN/tailnet/custom bind, reverse proxy, tunnels, etc.), the impact increases accordingly. ## Affected Packages / Versions - Package: `openclaw` (npm) - Vulnerable: `< 2026.2.14` (includes latest published `2026.2.13`) - Patched: `>= 2026.2.14` (planned next release) ## Details **Entry points**: - `POST /tools/invoke` with `{"tool":"browser","action":"upload",...}` - `POST /hooks/file-chooser` (browser control hook) When the upload paths are not validated, Playwright reads the referenced files from the local filesystem and attaches them to a page-level `<input type="file">`. Contents can then be exfiltrated by page JavaScript (e.g. via `FileReader`) or via agent/browser snapshots. Impact: arbitrary local file read on the Gateway host (confidentiality impact). ## Fix Upload paths are now confined to OpenClaw's temp uploads root (`DEFAULT_UPLOAD_DIR`) and traversal/escape paths are rejected. This fix was implemented internally; the reporter provided a clear reproduction and impact analysis. Fix commit(s): - 3aa94afcfd12104c683c9cad81faf434d0dadf87 Thanks @p80n-sec for reporting.

受影響套件(1)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

參考連結(5)