GHSA-56pc-6hvp-4gv4: OpenClaw vulnerable to arbitrary file read via $include directive
mediumvulnerability
security
Source: GitHub Advisory DatabaseMarch 3, 2026
Summary
OpenClaw has a path traversal vulnerability (CWE-22, a weakness where attackers bypass directory restrictions) in its `$include` directive that allows arbitrary file reads. An attacker who can modify OpenClaw's configuration file can read any file the OpenClaw process has access to by using absolute paths, directory traversal sequences (like `../../`), or symlinks (shortcuts to files), potentially exposing secrets and API keys.
Solution / Mitigation
Update OpenClaw to version 2026.2.17 or later. The vulnerability is fixed in npm package `openclaw` version `>=2026.2.17` (vulnerable versions: `<=2026.2.15`).
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
confidentialityintegrity
Affected Vendors
Affected Packages
openclaw@< 2026.2.17 (fixed: 2026.2.17)
Related Issues
Original source: https://github.com/advisories/GHSA-56pc-6hvp-4gv4
First tracked: March 3, 2026 at 03:00 PM
Classified by LLM (prompt v3) · confidence: 75%