Skip to content
CVSS 8.6 · HIGH

CVE-2026-43533

OpenClaw before 2026.4.10 contains an arbitrary file read vulnerability in QQBot media tags that allows attackers to reference host-local paths outside the intended media storage boundary. Attackers can craft malicious reply text containing media tags to disclose arbitrary local files through outbound media handling.

Ver en NVD

Análisis

OpenClaw is a niche open-source project, often associated with QQBot integrations or game engine reimplementations, which has negligible adoption in the Mexican developer ecosystem. While an arbitrary file read is a serious vulnerability, the software's deployment scale does not warrant a community-wide alert.

Severidad

Puntaje: 8.6(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: CHANGED
C: HIGH
I: NONE
A: NONE
Tipo de falla (CWE): CWE-23

EPSS

Probabilidad de explotación (próx. 30 días): 0.0004 (0.0%)
Percentil: 12.2%
EPSS: 2026-05-06

Afecta

openclaw:openclaw

Descripción técnica

OpenClaw before 2026.4.10 contains an arbitrary file read vulnerability in QQBot media tags that allows attackers to reference host-local paths outside the intended media storage boundary. Attackers can craft malicious reply text containing media tags to disclose arbitrary local files through outbound media handling.

Publicada: 5/5/2026, 12:16:19
Última modificación: 7/5/2026, 1:53:48

Referencias

InicioEventosBlogRecursosEquipo