CVE-2026-26329
OpenClaw has a path traversal in browser upload allows local file read
Description
## Summary Authenticated attackers can read arbitrary files from the Gateway host by supplying absolute paths or path traversal sequences to the browser tool's `upload` action. The server passed these paths to Playwright's `setInputFiles()` APIs without restricting them to a safe root. Severity remains **High** due to the impact (arbitrary local file read on the Gateway host), even though exploitation requires authenticated access. ## Exploitability / Preconditions This is not a "drive-by" issue. An attacker must: - Reach the Gateway HTTP surface (or otherwise invoke the same browser control hook endpoints). - Present valid Gateway auth (bearer token / password), as required by the Gateway configuration. - In common default setups, the Gateway binds to loopback and the onboarding wizard generates a gateway token even for loopback. - Have the `browser` tool permitted by tool policy for the target session/context (and have browser support enabled). If an operator exposes the Gateway beyond loopback (LAN/tailnet/custom bind, reverse proxy, tunnels, etc.), the impact increases accordingly. ## Affected Packages / Versions - Package: `openclaw` (npm) - Vulnerable: `< 2026.2.14` (includes latest published `2026.2.13`) - Patched: `>= 2026.2.14` (planned next release) ## Details **Entry points**: - `POST /tools/invoke` with `{"tool":"browser","action":"upload",...}` - `POST /hooks/file-chooser` (browser control hook) When the upload paths are not validated, Playwright reads the referenced files from the local filesystem and attaches them to a page-level `<input type="file">`. Contents can then be exfiltrated by page JavaScript (e.g. via `FileReader`) or via agent/browser snapshots. Impact: arbitrary local file read on the Gateway host (confidentiality impact). ## Fix Upload paths are now confined to OpenClaw's temp uploads root (`DEFAULT_UPLOAD_DIR`) and traversal/escape paths are rejected. This fix was implemented internally; the reporter provided a clear reproduction and impact analysis. Fix commit(s): - 3aa94afcfd12104c683c9cad81faf434d0dadf87 Thanks @p80n-sec for reporting.
How to fix CVE-2026-26329
To remediate CVE-2026-26329, upgrade the affected package to a fixed version below.
- —upgrade to 2026.2.14 or later
Is CVE-2026-26329 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.