{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32061", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-10T19:51:58.637Z", "datePublished": "2026-03-11T13:32:34.842Z", "dateUpdated": "2026-03-11T14:37:31.749Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-11T13:32:34.842Z"}, "datePublic": "2026-02-21T00:00:00.000Z", "title": "OpenClaw < 2026.2.17 - Arbitrary File Read via $include Directive Path Traversal", "descriptions": [{"lang": "en", "value": "OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directive resolution that allows reading arbitrary local files outside the config directory boundary. Attackers with config modification capabilities can exploit this by specifying absolute paths, traversal sequences, or symlinks to access sensitive files readable by the OpenClaw process user, including API keys and credentials."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "affected": [{"vendor": "openclaw", "product": "openclaw", "versions": [{"version": "0", "status": "affected", "lessThan": "2026.2.17", "versionType": "semver"}, {"status": "unaffected", "version": "2026.2.17"}], "defaultStatus": "unaffected", "packageURL": "pkg:npm/openclaw"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*", "versionStartIncluding": "0", "versionEndExcluding": "2026.2.17"}, {"vulnerable": false, "criteria": "cpe:2.3:a:openclaw:openclaw:2026.2.17:*:*:*:*:*:*:*"}]}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 6.7, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-56pc-6hvp-4gv4", "name": "GitHub Security Advisory (GHSA-56pc-6hvp-4gv4)", "tags": ["third-party-advisory"]}, {"url": "https://github.com/openclaw/openclaw/commit/d1c00dbb7c64a39e205464dae7f2a068420e91c1", "name": "Patch Commit", "tags": ["issue-tracking"]}, {"name": "VulnCheck Advisory: OpenClaw < 2026.2.17 - Arbitrary File Read via $include Directive Path Traversal", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-include-directive-path-traversal"}], "x_generator": {"engine": "vulncheck"}, "credits": [{"lang": "en", "value": "Aether AI (@aether-ai-agent)", "type": "reporter"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T14:37:21.418861Z", "id": "CVE-2026-32061", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T14:37:31.749Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32061", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-10T19:51:58.637Z", "datePublished": "2026-03-11T13:32:34.842Z", "dateUpdated": "2026-03-11T14:37:31.749Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-11T13:32:34.842Z"}, "datePublic": "2026-02-21T00:00:00.000Z", "title": "OpenClaw < 2026.2.17 - Arbitrary File Read via $include Directive Path Traversal", "descriptions": [{"lang": "en", "value": "OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directive resolution that allows reading arbitrary local files outside the config directory boundary. Attackers with config modification capabilities can exploit this by specifying absolute paths, traversal sequences, or symlinks to access sensitive files readable by the OpenClaw process user, including API keys and credentials."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "cweId": "CWE-22", "type": "CWE"}]}], "affected": [{"vendor": "openclaw", "product": "openclaw", "versions": [{"version": "0", "status": "affected", "lessThan": "2026.2.17", "versionType": "semver"}, {"status": "unaffected", "version": "2026.2.17"}], "defaultStatus": "unaffected", "packageURL": "pkg:npm/openclaw"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*", "versionStartIncluding": "0", "versionEndExcluding": "2026.2.17"}, {"vulnerable": false, "criteria": "cpe:2.3:a:openclaw:openclaw:2026.2.17:*:*:*:*:*:*:*"}]}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 6.7, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-56pc-6hvp-4gv4", "name": "GitHub Security Advisory (GHSA-56pc-6hvp-4gv4)", "tags": ["third-party-advisory"]}, {"url": "https://github.com/openclaw/openclaw/commit/d1c00dbb7c64a39e205464dae7f2a068420e91c1", "name": "Patch Commit", "tags": ["issue-tracking"]}, {"name": "VulnCheck Advisory: OpenClaw < 2026.2.17 - Arbitrary File Read via $include Directive Path Traversal", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-include-directive-path-traversal"}], "x_generator": {"engine": "vulncheck"}, "credits": [{"lang": "en", "value": "Aether AI (@aether-ai-agent)", "type": "reporter"}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32061", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T14:37:21.418861Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T14:37:26.875Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "51DF5608-003E-4FA0-8025-5822571495F2", "versionEndExcluding": "2026.2.17", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directive resolution that allows reading arbitrary local files outside the config directory boundary. Attackers with config modification capabilities can exploit this by specifying absolute paths, traversal sequences, or symlinks to access sensitive files readable by the OpenClaw process user, including API keys and credentials."}, {"lang": "es", "value": "Las versiones de OpenClaw anteriores a la 2026.2.17 contienen una vulnerabilidad de salto de ruta en la resoluci\u00f3n de la directiva $include que permite la lectura de archivos locales arbitrarios fuera del l\u00edmite del directorio de configuraci\u00f3n. Atacantes con capacidades de modificaci\u00f3n de configuraci\u00f3n pueden explotar esto especificando rutas absolutas, secuencias de salto de ruta o enlaces simb\u00f3licos para acceder a archivos sensibles legibles por el usuario del proceso de OpenClaw, incluyendo claves de API y credenciales."}], "id": "CVE-2026-32061", "lastModified": "2026-03-16T18:00:12.163", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 3.6, "source": "disclosure@vulncheck.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-11T14:16:28.140", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Patch"], "url": "https://github.com/openclaw/openclaw/commit/d1c00dbb7c64a39e205464dae7f2a068420e91c1"}, {"source": "disclosure@vulncheck.com", "tags": ["Vendor Advisory"], "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-56pc-6hvp-4gv4"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-include-directive-path-traversal"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2026.2.17)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "2026.2.17"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "openclaw", "source": "cna", "vendor": "openclaw"}, "product": "openclaw", "vendor": "openclaw"}], "analysis": {"en": {"generated_at": "2026-03-17T16:01:13.575230+00:00", "value": {"mitigation_remediation": ["Verify the OpenClaw version currently in use.", "If the version is older than 2026.2.17, apply the vendor patch by upgrading to 2026.2.17 or a later release.", "If an upgrade is not immediately possible, change file system permissions so that the OpenClaw process user cannot read sensitive files outside the configuration directory.", "Monitor configuration files and system logs for unauthorized changes to the $include directive."], "summary": {"action": "Patch Now", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Affected systems are installations of the OpenClaw application from the openclaw:openclaw vendor. Versions earlier than 2026.2.17 are impacted. The Common Platform Enumeration entries indicate usage of any platform, including Node.js environments. Therefore, any deployment running a pre\u20112026.2.17 build is susceptible.", "description_and_impact": "OpenClaw versions before 2026.2.17 have a path traversal vulnerability in the $include directive that allows an attacker with the ability to modify configuration files to read arbitrary local files outside the intended configuration directory. An attacker can supply absolute paths, traversal sequences, or symlinks in the $include directive to gain read access to files that the OpenClaw process user can read, including API keys, credentials, and other sensitive data. This results in confidentiality compromise for any files accessible to the OpenClaw process.", "risk_and_exploitability": "The CVSS score is 6.7, indicating moderate severity. The EPSS score is less than 1%, suggesting a low likelihood of exploitation. The vulnerability is not present in the CISA KEV catalog. The attack vector is local, requiring the attacker to have the ability to modify configuration files or otherwise inject the $include directive. Successful exploitation would result in the attacker gaining read access to any files readable by the OpenClaw process user, which could compromise credential integrity and confidentiality. Because the flaw is an uncontrolled path traversal, it cannot be mitigated through network isolation alone."}}}}, "created": "2026-03-12T10:05:54.394300+00:00", "updated": "2026-03-20T14:37:15.989078+00:00", "vendors": ["openclaw", "openclaw$PRODUCT$openclaw"]}