AI Threat Alert AI Threat Alert

GHSA-2f7j-rp58-mr42: OpenClaw: info disclosure exposes host filesystem paths

GHSA-2f7j-rp58-mr42 MEDIUM
Published April 7, 2026
CISO Take

OpenClaw's Gateway connect success snapshot leaked configPath and stateDir metadata to any authenticated low-privilege client in versions up to 2026.4.1, exposing host filesystem layout and deployment details that clients had no business reason to see. While this is not a direct authorization bypass or code execution, in AI agent deployments those paths frequently co-locate with API keys, model configurations, and runtime secrets — meaning the disclosure meaningfully accelerates chained attacks. There is no public exploit, no EPSS data, and it is not in CISA KEV, keeping immediate real-world risk moderate, but the 37 prior CVEs in this package signal persistent security debt. Upgrade to openclaw 2026.4.2 immediately; if patching is delayed, demote or revoke non-admin client credentials as an interim control and audit configPath and stateDir for co-located sensitive material.

Sources: GitHub Advisory ATLAS

Risk Assessment

Medium risk overall. CWE-200 information disclosure with no standalone exploitation path, but high reconnaissance value in AI agent deployments where config and state directories routinely contain API keys, tokens, and model artifacts. Exploitation requires only a valid low-privilege authenticated account — no special skills, no novel technique. The 37 prior CVEs in the same package indicate a pattern of security debt that warrants elevated scrutiny of openclaw's security posture beyond this single advisory.

Affected Systems

Package Ecosystem Vulnerable Range Patched
openclaw npm <= 2026.4.1 2026.4.2

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

Recommended Action

  1. Upgrade openclaw to >= 2026.4.2 immediately — the fix limits connect snapshot metadata to admin-scoped clients only.
  2. If patching is delayed, restrict Gateway connect access to admin-scoped clients; revoke or demote non-admin client credentials.
  3. Review Gateway access logs for non-admin connect events prior to patch date and treat unexplained connections as potentially having harvested filesystem metadata.
  4. Audit the directories referenced by configPath and stateDir for co-located sensitive material (API keys, tokens, model weights) and rotate credentials as a precaution.
  5. Monitor for follow-on activity targeting paths that may now be known to an adversary.

Classification

Data Leakage Privacy Violation Agent Framework AML.T0007 AML.T0037 AML.T0084

Compliance Impact

This CVE is relevant to:

ISO 42001
A.9 - Information security controls for AI systems
NIST AI RMF
MEASURE 2.5 - AI risks and impacts are evaluated
OWASP LLM Top 10
LLM02 - Sensitive Information Disclosure

Technical Details

NVD Description

## Summary Before OpenClaw 2026.4.2, the Gateway `connect` success snapshot exposed local `configPath` and `stateDir` metadata to non-admin clients. Low-privilege authenticated clients could learn host filesystem layout and deployment details that were not needed for their role. ## Impact A non-admin client could recover host-specific filesystem paths and related deployment metadata, aiding host fingerprinting and chained attacks. This was an information-disclosure issue, not a direct authorization bypass. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `676b748056b5efca6f1255708e9dd9469edf5e2e` — limit connect snapshot metadata to admin-scoped clients ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @topsec-bunney for reporting.

Exploitation Scenario

An attacker holding a low-privilege OpenClaw client credential — obtained via phishing, credential stuffing, or compromised CI/CD secrets — connects to the Gateway and receives the standard connect success snapshot. The response includes configPath (e.g., /opt/openclaw/config.json) and stateDir (e.g., /var/lib/openclaw/state). The attacker uses these precise paths to identify likely locations of API keys, agent tool configurations, and model files. With a second vulnerability (path traversal, SSRF, or a malicious skill as seen in AIID #1368), the attacker can now directly target those known paths rather than blindly probing the filesystem, significantly reducing time-to-exploit.

Weaknesses (CWE)

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Primary

References

Timeline

Published
April 7, 2026
Last Modified
April 7, 2026
First Seen
April 7, 2026

Related Vulnerabilities

CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-28451 9.3

OpenClaw: SSRF via Feishu extension exposes internal services

Same package: openclaw
HIGH GHSA-m3mh-3mpg-37hw 8.6

OpenClaw: .npmrc hijack enables RCE on plugin install

Same package: openclaw
HIGH CVE-2026-27001 7.8

OpenClaw: prompt injection via unsanitized workspace path

Same package: openclaw
HIGH GHSA-hr5v-j9h9-xjhg 7.7

OpenClaw: sandbox escape via mediaUrl path traversal

Same package: openclaw
Back to Threat Feed