GHSA-846p-hgpv-vphc: OpenClaw: path traversal → host file exfiltration via QQ Bot

GHSA-846p-hgpv-vphc MEDIUM
Published April 7, 2026
CISO Take

OpenClaw versions up to and including 2026.4.1 contain a path traversal flaw (CWE-22) in the QQ Bot structured media payload handler that allows reads of any host file accessible to the OpenClaw process. The highest-risk scenario for AI deployments is chaining this with prompt injection: an attacker who can influence the agent's structured output — via a crafted QQ message — can direct the media-send path to traverse outside the sanctioned media root and return secrets, SSH keys, or environment files over the bot channel. With 37 known CVEs already in this package and a credited report from Tencent's AI-Infra-Guard team actively auditing this surface, attacker familiarity with OpenClaw internals is demonstrated. Patch to openclaw >= 2026.4.2 immediately; if patching is blocked, run the process under a least-privilege OS user with explicit filesystem read restrictions and audit QQ Bot media-send calls for path traversal patterns.

Sources: GitHub Advisory ATLAS CISA KEV

What is the risk?

Nominal CVSS medium, but real-world risk is elevated in AI agent deployments. The attack path is low-complexity once an attacker can deliver messages to the bot — no authentication beyond QQ messaging is required. The process user's effective permissions determine blast radius; OpenClaw running as a service account with broad read access (common in self-hosted setups) exposes credentials, configs, and keys. No public PoC or CISA KEV listing, but the traversal primitive is trivially exploitable and the prompt-injection chaining angle is novel enough to demand prompt attention.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw npm <= 2026.4.1 2026.4.2
4 dependents 41% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What should I do?

5 steps
  1. Upgrade openclaw to >= 2026.4.2 (fix commit 2c45b06).

  2. If immediate patching is blocked: run OpenClaw under a dedicated OS user with read access explicitly restricted to required directories via filesystem ACLs or container mounts.

  3. Apply chroot, seccomp, or container filesystem restrictions to enforce the media root boundary at the OS level.

  4. Audit QQ Bot media-send logs for path components containing '../' or paths outside expected media directories.

  5. Harden prompt injection controls on all external input channels feeding OpenClaw's structured output generation to break the chaining vector.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

ISO 42001
A.9.2 - Information security in AI system development
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems
OWASP LLM Top 10
LLM01 - Prompt Injection LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is GHSA-846p-hgpv-vphc?

OpenClaw versions up to and including 2026.4.1 contain a path traversal flaw (CWE-22) in the QQ Bot structured media payload handler that allows reads of any host file accessible to the OpenClaw process. The highest-risk scenario for AI deployments is chaining this with prompt injection: an attacker who can influence the agent's structured output — via a crafted QQ message — can direct the media-send path to traverse outside the sanctioned media root and return secrets, SSH keys, or environment files over the bot channel. With 37 known CVEs already in this package and a credited report from Tencent's AI-Infra-Guard team actively auditing this surface, attacker familiarity with OpenClaw internals is demonstrated. Patch to openclaw >= 2026.4.2 immediately; if patching is blocked, run the process under a least-privilege OS user with explicit filesystem read restrictions and audit QQ Bot media-send calls for path traversal patterns.

Is GHSA-846p-hgpv-vphc actively exploited?

No confirmed active exploitation of GHSA-846p-hgpv-vphc has been reported, but organizations should still patch proactively.

How to fix GHSA-846p-hgpv-vphc?

1. Upgrade openclaw to >= 2026.4.2 (fix commit 2c45b06). 2. If immediate patching is blocked: run OpenClaw under a dedicated OS user with read access explicitly restricted to required directories via filesystem ACLs or container mounts. 3. Apply chroot, seccomp, or container filesystem restrictions to enforce the media root boundary at the OS level. 4. Audit QQ Bot media-send logs for path components containing '../' or paths outside expected media directories. 5. Harden prompt injection controls on all external input channels feeding OpenClaw's structured output generation to break the chaining vector.

What systems are affected by GHSA-846p-hgpv-vphc?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, chatbot deployments, multi-modal AI pipelines.

What is the CVSS score for GHSA-846p-hgpv-vphc?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworkschatbot deploymentsmulti-modal AI pipelines

MITRE ATLAS Techniques

AML.T0037 Data from Local System
AML.T0051.001 Indirect
AML.T0053 AI Agent Tool Invocation
AML.T0086 Exfiltration via AI Agent Tool Invocation

Compliance Controls Affected

ISO 42001: A.9.2
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM01, LLM07

What are the technical details?

Original Advisory

## Summary Before OpenClaw 2026.4.2, QQ Bot structured media payloads could read local files from attacker-chosen paths. A crafted structured payload could escape QQ Bot-owned media roots and cause arbitrary file reads on the host. ## Impact Prompt-influenced structured payload output could exfiltrate any host file readable by the OpenClaw process through the QQ Bot media-send path. This was a real confidentiality bug on the host filesystem boundary. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `2c45b06afdd6f7c621038b5419d8e661cff34a7f` — restrict QQ Bot structured payload local paths ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @feiyang666 of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.

Exploitation Scenario

An attacker sends a QQ message to a bot powered by vulnerable OpenClaw containing an indirect prompt injection payload. The injected instruction directs the LLM to include a traversal path (e.g., '../../../../home/openclaw/.env') in its next structured media payload. OpenClaw processes this output through the QQ Bot media-send handler without sanitizing the path, reads the target file from the host filesystem, and delivers its contents as a media attachment back through the QQ channel. The attacker recovers API keys, database credentials, or SSH private keys with no further access required. The entire kill chain — inject, traverse, exfiltrate — requires only the ability to send a QQ message to the bot.

Weaknesses (CWE)

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

Timeline

Published
April 7, 2026
Last Modified
April 7, 2026
First Seen
April 7, 2026

Related Vulnerabilities