Skip to content
CVSS 8.6 · HIGH

CVE-2026-43533

OpenClaw before 2026.4.10 contains an arbitrary file read vulnerability in QQBot media tags that allows attackers to reference host-local paths outside the intended media storage boundary. Attackers can craft malicious reply text containing media tags to disclose arbitrary local files through outbound media handling.

View on NVD

Analysis

OpenClaw is a niche open-source project, often associated with QQBot integrations or game engine reimplementations, which has negligible adoption in the Mexican developer ecosystem. While an arbitrary file read is a serious vulnerability, the software's deployment scale does not warrant a community-wide alert.

Severity

Score: 8.6(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: CHANGED
C: HIGH
I: NONE
A: NONE
Weakness (CWE): CWE-23

EPSS

Probability of exploitation (next 30 days): 0.0004 (0.0%)
Percentile: 12.2%
EPSS: 2026-05-06

Affects

openclaw:openclaw

Technical description

OpenClaw before 2026.4.10 contains an arbitrary file read vulnerability in QQBot media tags that allows attackers to reference host-local paths outside the intended media storage boundary. Attackers can craft malicious reply text containing media tags to disclose arbitrary local files through outbound media handling.

Published: 5/5/2026, 12:16:19 PM
Last modified: 5/7/2026, 1:53:48 AM

References

HomeEventsBlogResourcesTeam