CVE-2026-53825: OpenClaw path traversal exposes

CISO Take

OpenClaw, an AI agent platform supporting memory-augmented workflows, contains a path traversal vulnerability (CWE-22) in its memory-wiki ingest feature that allows any authenticated user holding operator.write scope to read arbitrary local files on the host running the service. While exploitation requires an authenticated account rather than anonymous access, the barrier is low in organizations with broadly granted operator roles — and with 175 CVEs in the same package, this software carries a serious vulnerability history that warrants scrutiny. Path traversal in an agent's file ingestion pipeline is a particularly dangerous class in AI/ML environments where the process often has access to API keys, model configuration, database credentials, and training data. Organizations running OpenClaw should upgrade to version 2026.4.7 or later immediately; if patching is not possible, restrict operator.write access to the minimum required users and monitor wiki ingest requests for anomalous file path patterns.

Sources: NVD GitHub Advisory VulnCheck ATLAS

What is the risk?

Medium CVSS (6.5) understates the real risk in AI/ML deployments where OpenClaw processes routinely hold read access to sensitive directories containing credentials, model configs, and training data. The network-accessible attack vector with low-privilege prerequisites means any compromised operator account — a realistic threat in multi-user agent platforms — is sufficient for exploitation. The package's history of 175 CVEs indicates a systemic pattern of security issues, reducing confidence in compensating controls within the software itself.

How does the attack unfold?

Initial Access

Attacker obtains or already holds operator.write credentials via phishing, credential stuffing, or a compromised OpenClaw skills account.

AML.T0012

Exploitation

Attacker submits a wiki ingest API request specifying an arbitrary local file path (e.g., /opt/openclaw/.env), bypassing path validation via CWE-22 path traversal.

AML.T0049

Collection

OpenClaw reads the targeted file and stores its contents in the agent's wiki memory without sanitization, making the data queryable via the conversation interface or API.

AML.T0037

Exfiltration

Attacker retrieves ingested file contents — API keys, database credentials, SSH keys — from the wiki memory context and leverages them for lateral movement into connected AI infrastructure.

AML.T0085.001

Initial Access

Attacker obtains or already holds operator.write credentials via phishing, credential stuffing, or a compromised OpenClaw skills account.

AML.T0012

Exploitation

Attacker submits a wiki ingest API request specifying an arbitrary local file path (e.g., /opt/openclaw/.env), bypassing path validation via CWE-22 path traversal.

AML.T0049

Collection

OpenClaw reads the targeted file and stores its contents in the agent's wiki memory without sanitization, making the data queryable via the conversation interface or API.

AML.T0037

Exfiltration

Attacker retrieves ingested file contents — API keys, database credentials, SSH keys — from the wiki memory context and leverages them for lateral movement into connected AI infrastructure.

AML.T0085.001

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 70% patched ~0d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

6.5 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I None

A None

What should I do?

1 step

1) Patch immediately: upgrade to OpenClaw 2026.4.7 or later per the vendor advisory at GHSA-p2fh-f5fc-44hr. 2) Restrict operator.write scope to the minimum required set of service accounts and humans — audit current role assignments before patching. 3) Run the OpenClaw process under a dedicated OS user with filesystem access restricted via OS-level permissions (chroot, AppArmor, or seccomp) to only the intended ingest source directories. 4) Enable audit logging on wiki ingest requests and alert on paths containing '../', absolute paths outside expected directories, or attempts to read /etc/, ~/.ssh/, or .env files. 5) Rotate any credentials stored in files accessible by the OpenClaw process until the system is fully patched.

How is it classified?

Data Extraction Data Leakage Agent RAG AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0080.000 - Memory AML.T0085.001 - AI Agent Tools

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.4 - Access control for AI systems

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain the value of AI systems

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-53825?

OpenClaw, an AI agent platform supporting memory-augmented workflows, contains a path traversal vulnerability (CWE-22) in its memory-wiki ingest feature that allows any authenticated user holding operator.write scope to read arbitrary local files on the host running the service. While exploitation requires an authenticated account rather than anonymous access, the barrier is low in organizations with broadly granted operator roles — and with 175 CVEs in the same package, this software carries a serious vulnerability history that warrants scrutiny. Path traversal in an agent's file ingestion pipeline is a particularly dangerous class in AI/ML environments where the process often has access to API keys, model configuration, database credentials, and training data. Organizations running OpenClaw should upgrade to version 2026.4.7 or later immediately; if patching is not possible, restrict operator.write access to the minimum required users and monitor wiki ingest requests for anomalous file path patterns.

Is CVE-2026-53825 actively exploited?

No confirmed active exploitation of CVE-2026-53825 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-53825?

1) Patch immediately: upgrade to OpenClaw 2026.4.7 or later per the vendor advisory at GHSA-p2fh-f5fc-44hr. 2) Restrict operator.write scope to the minimum required set of service accounts and humans — audit current role assignments before patching. 3) Run the OpenClaw process under a dedicated OS user with filesystem access restricted via OS-level permissions (chroot, AppArmor, or seccomp) to only the intended ingest source directories. 4) Enable audit logging on wiki ingest requests and alert on paths containing '../', absolute paths outside expected directories, or attempts to read /etc/, ~/.ssh/, or .env files. 5) Rotate any credentials stored in files accessible by the OpenClaw process until the system is fully patched.

What systems are affected by CVE-2026-53825?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Memory-augmented agents, RAG pipelines, Agent knowledge bases.

What is the CVSS score for CVE-2026-53825?

CVE-2026-53825 has a CVSS v3.1 base score of 6.5 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

AI agent frameworksMemory-augmented agentsRAG pipelinesAgent knowledge bases

MITRE ATLAS Techniques

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

AML.T0080.000 Memory

AML.T0085.001 AI Agent Tools

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.9.4

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

OpenClaw before 2026.4.7 contains an arbitrary file read vulnerability in the memory-wiki ingest feature that allows authenticated Gateway operators with operator.write scope to read local files outside intended ingest sources. Attackers with operator.write access can specify arbitrary local file paths to import file content into wiki memory, bypassing access restrictions.

Exploitation Scenario

An attacker with operator.write credentials — obtained via phishing, credential stuffing against the OpenClaw portal, or compromised through the skills ecosystem (as documented in AIID #1368) — submits a wiki ingest API call specifying an arbitrary file path such as '/opt/openclaw/.env' or '../../../../etc/passwd'. OpenClaw reads the file without validating that the path falls within the intended ingest source directory, ingests its contents into the wiki memory store, and returns a success response. The attacker then queries the agent's wiki or conversation context to retrieve the ingested file content, obtaining API keys, database credentials, or configuration secrets that enable lateral movement to connected AI infrastructure components such as vector databases, model registries, or cloud provider APIs.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.