CVE-2026-32061

描述

## Vulnerability Path traversal in config `$include` resolution allowed arbitrary local file reads outside the config directory boundary (CWE-22). ### Attack Vectors 1. If an attacker can modify OpenClaw config, they can set `$include` to absolute paths (for example `/etc/passwd`) and read files accessible to the OpenClaw process. 2. If an attacker can modify OpenClaw config, they can use traversal paths (for example `../../...`) to escape the config directory. 3. If an attacker can create symlinks inside the config directory, they can point includes to external files unless real-path checks are enforced. 4. Impact scope is bounded by the file permissions of the OpenClaw runtime user; this is not an unauthenticated remote-only vector by itself. ## Impact A successful exploit can expose local secrets and credentials readable by the OpenClaw process user, including API keys and private config material. ## Affected Packages / Versions - Package: `openclaw` (npm) - Vulnerable versions: `<=2026.2.15` - Patched versions: `>=2026.2.17` ## Fix Commit(s) - `d1c00dbb7c64a39e205464dae7f2a068420e91c1` ## Release Process Note Patched version is pre-set to `2026.2.17`. Once npm release `2026.2.17` is available, this advisory is ready to publish. OpenClaw thanks @aether-ai-agent for reporting.

受影響套件(1)

• npm/openclawfrom 0, < 2026.2.17

CVSS 分數

參考連結(5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-32061
• PATCHhttps://github.com/openclaw/openclaw
• WEBhttps://github.com/openclaw/openclaw/commit/d1c00dbb7c64a39e205464dae7f2a068420e91c1
• WEBhttps://github.com/openclaw/openclaw/security/advisories/GHSA-56pc-6hvp-4gv4
• WEBhttps://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-include-directive-path-traversal