GHSA-846p-hgpv-vphc: OpenClaw: path traversal → host file exfiltration via QQ Bot

Published April 7, 2026

CISO Take

OpenClaw versions up to and including 2026.4.1 contain a path traversal flaw (CWE-22) in the QQ Bot structured media payload handler that allows reads of any host file accessible to the OpenClaw process. The highest-risk scenario for AI deployments is chaining this with prompt injection: an attacker who can influence the agent's structured output — via a crafted QQ message — can direct the media-send path to traverse outside the sanctioned media root and return secrets, SSH keys, or environment files over the bot channel. With 37 known CVEs already in this package and a credited report from Tencent's AI-Infra-Guard team actively auditing this surface, attacker familiarity with OpenClaw internals is demonstrated. Patch to openclaw >= 2026.4.2 immediately; if patching is blocked, run the process under a least-privilege OS user with explicit filesystem read restrictions and audit QQ Bot media-send calls for path traversal patterns.

Sources: GitHub Advisory ATLAS CISA KEV

Risk Assessment

Nominal CVSS medium, but real-world risk is elevated in AI agent deployments. The attack path is low-complexity once an attacker can deliver messages to the bot — no authentication beyond QQ messaging is required. The process user's effective permissions determine blast radius; OpenClaw running as a service account with broad read access (common in self-hosted setups) exposes credentials, configs, and keys. No public PoC or CISA KEV listing, but the traversal primitive is trivially exploitable and the prompt-injection chaining angle is novel enough to demand prompt attention.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	<= 2026.4.1	`2026.4.2`

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Recommended Action

Upgrade openclaw to >= 2026.4.2 (fix commit 2c45b06).
If immediate patching is blocked: run OpenClaw under a dedicated OS user with read access explicitly restricted to required directories via filesystem ACLs or container mounts.
Apply chroot, seccomp, or container filesystem restrictions to enforce the media root boundary at the OS level.
Audit QQ Bot media-send logs for path components containing '../' or paths outside expected media directories.
Harden prompt injection controls on all external input channels feeding OpenClaw's structured output generation to break the chaining vector.

Classification

Prompt Injection Data Extraction Agent Plugin AML.T0037 - Data from Local System AML.T0051.001 - Indirect AML.T0053 - AI Agent Tool Invocation AML.T0086 - Exfiltration via AI Agent Tool Invocation

Compliance Impact

This CVE is relevant to:

ISO 42001

A.9.2 - Information security in AI system development

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM01 - Prompt Injection LLM07 - Insecure Plugin Design

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors high confidence

AIID #1368 documents malicious credential exfiltration via OpenClaw's third-party skills ecosystem; this CVE affects the same platform (OpenClaw) and enables the same failure mode — unauthorized exfiltration of sensitive data from OpenClaw deployments — via a path traversal vector rather than a malicious skill.

AIID #1368

Source: AI Incident Database (AIID)

Technical Details

NVD Description

## Summary Before OpenClaw 2026.4.2, QQ Bot structured media payloads could read local files from attacker-chosen paths. A crafted structured payload could escape QQ Bot-owned media roots and cause arbitrary file reads on the host. ## Impact Prompt-influenced structured payload output could exfiltrate any host file readable by the OpenClaw process through the QQ Bot media-send path. This was a real confidentiality bug on the host filesystem boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `2c45b06afdd6f7c621038b5419d8e661cff34a7f` — restrict QQ Bot structured payload local paths ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @feiyang666 of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.

Exploitation Scenario

An attacker sends a QQ message to a bot powered by vulnerable OpenClaw containing an indirect prompt injection payload. The injected instruction directs the LLM to include a traversal path (e.g., '../../../../home/openclaw/.env') in its next structured media payload. OpenClaw processes this output through the QQ Bot media-send handler without sanitizing the path, reads the target file from the host filesystem, and delivers its contents as a media attachment back through the QQ channel. The attacker recovers API keys, database credentials, or SSH private keys with no further access required. The entire kill chain — inject, traverse, exfiltrate — requires only the ability to send a QQ message to the bot.