4 matches found
CVE-2026-32846
OpenClaw through 2026.3.23 fixed in commit 4797bbc contains a path traversal vulnerability in media parsing that allows attackers to read arbitrary files by bypassing path validation in the isLikelyLocalPath and isValidMedia functions. Attackers can exploit incomplete validation and the...
@agentholdings/agent-passport (>=0.1.0 <=0.1.5), @chrysb/alphaclaw (=0.8.3-beta.1) +11 more potentially affected by CVE-2026-32846 via openclaw (>=2026.3.22 <=2026.3.24)
openclaw NPM version =2026.3.22, =0.1.0, =2026.3.25, =2026.3.24-3, =0.14.39, =0.1.1, =2.0.1, =0.0.7, =0.14.6, =0.1.0, =0.1.5 Source cves: CVE-2026-32846 Source advisory: SNYK:JS-OPENCLAW-15789429...
CVE-2026-32846
OpenClaw prior to 2026.3.23 contains a path traversal vulnerability in media parsing that can read arbitrary files by bypassing path validation in isLikelyLocalPath() and isValidMedia(), with the allowBareFilename bypass enabling access to files outside the application sandbox. Impact includes di...
CVE-2026-32846 OpenClaw < 2026.3.28 Media Parsing Path Traversal to Arbitrary File Read
OpenClaw before 2026.3.28 contains a path traversal vulnerability in media parsing that allows attackers to read arbitrary files by bypassing path validation in the isLikelyLocalPath and isValidMedia functions. Attackers can exploit incomplete validation and the allowBareFilename bypass to...