CVE-2026-43567

Description

## Summary screen_record outPath bypassed workspace-only filesystem guard. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact The node-host screen recording tool could honor an `outPath` outside the workspace guard, allowing an authorized tool call to write outside the intended workspace boundary. ## Technical Details The fix applies the workspace-root guard to node tool `outPath` handling, including screen recording paths. ## Fix The issue was fixed in #63551. The first stable tag containing the fix is `v2026.4.10`, and `[email protected]` includes the fix. ## Fix Commit(s) - `635bb35b68d8faa5bfa2fda35feadd315122748a` - PR: #63551 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @anshumanbh for reporting this issue.

How to fix CVE-2026-43567

To remediate CVE-2026-43567, upgrade the affected package to a fixed version below.

• —upgrade to 2026.4.10 or later

Is CVE-2026-43567 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 2026.4.10

CVSS scores

References (4)

• PATCHgithub.com/openclaw/openclaw
• WEBgithub.com/openclaw/openclaw/commit/635bb35b68d8faa5bfa2fda35feadd315122748a
• WEBgithub.com/openclaw/openclaw/pull/63551
• WEBgithub.com/openclaw/openclaw/security/advisories/GHSA-jf25-7968-h2h5