AI Threat Alert
GHSA-f934-5rqf-xx47: OpenClaw: path traversal in memory_get reads arbitrary workspace files
GHSA-f934-5rqf-xx47 MEDIUMOpenClaw's QMD backend improperly validated file paths in the memory_get operation, allowing any caller with access to that tool surface to read arbitrary Markdown files under the workspace root — not just the intended canonical memory paths. With 135 prior CVEs recorded against this package, the recurring vulnerability pattern in OpenClaw signals systemic code quality concerns that warrant elevating this beyond a routine patch. Exploitation requires pre-existing access to the memory tool surface and is scoped to Markdown files, and there is no public exploit, no CISA KEV listing, and EPSS data is unavailable — limiting opportunistic mass exploitation. Teams running OpenClaw should upgrade to 2026.4.15 immediately and audit what sensitive Markdown files reside in agent workspaces; review memory_get logs for calls referencing non-canonical paths as a detection measure.
What is the risk?
Medium risk in AI agent deployments. The path traversal bypasses memory-path policy controls rather than enabling full system compromise, and exploitation requires pre-existing access to the memory_get tool surface. However, AI agent workspaces frequently contain configuration files, credential references, system prompt fragments, and sensitive operational context in Markdown format — elevating the real-world data exposure above what CVSS alone indicates. The 135 other CVEs in this same package represent a significant risk multiplier for any production OpenClaw deployment and suggest that defense-in-depth controls around the agent's tool surface are essential.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | npm | < 2026.4.15 | 2026.4.15 |
Do you use OpenClaw? You're affected.
How severe is it?
What should I do?
6 steps-
Upgrade openclaw (npm) to version 2026.4.15 or later immediately — verify the fix commit 37d5971db36491d5050efd42c333cbe0b98ed292 is present in your installed version.
-
If upgrade is not immediately feasible, disable the QMD backend as a temporary workaround.
-
Audit workspace directories for sensitive Markdown files — relocate credentials, API keys, infrastructure notes, and PII outside the workspace root.
-
Review and restrict access controls on the memory_get tool surface; limit which agents or callers can invoke it.
-
Enable logging on memory_get invocations and alert on path arguments referencing non-memory directories or containing traversal sequences.
-
In multi-agent environments, treat each agent's memory tool surface as an exploitable boundary and apply least-privilege access controls accordingly.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-f934-5rqf-xx47?
OpenClaw's QMD backend improperly validated file paths in the memory_get operation, allowing any caller with access to that tool surface to read arbitrary Markdown files under the workspace root — not just the intended canonical memory paths. With 135 prior CVEs recorded against this package, the recurring vulnerability pattern in OpenClaw signals systemic code quality concerns that warrant elevating this beyond a routine patch. Exploitation requires pre-existing access to the memory tool surface and is scoped to Markdown files, and there is no public exploit, no CISA KEV listing, and EPSS data is unavailable — limiting opportunistic mass exploitation. Teams running OpenClaw should upgrade to 2026.4.15 immediately and audit what sensitive Markdown files reside in agent workspaces; review memory_get logs for calls referencing non-canonical paths as a detection measure.
Is GHSA-f934-5rqf-xx47 actively exploited?
No confirmed active exploitation of GHSA-f934-5rqf-xx47 has been reported, but organizations should still patch proactively.
How to fix GHSA-f934-5rqf-xx47?
1. Upgrade openclaw (npm) to version 2026.4.15 or later immediately — verify the fix commit 37d5971db36491d5050efd42c333cbe0b98ed292 is present in your installed version. 2. If upgrade is not immediately feasible, disable the QMD backend as a temporary workaround. 3. Audit workspace directories for sensitive Markdown files — relocate credentials, API keys, infrastructure notes, and PII outside the workspace root. 4. Review and restrict access controls on the memory_get tool surface; limit which agents or callers can invoke it. 5. Enable logging on memory_get invocations and alert on path arguments referencing non-memory directories or containing traversal sequences. 6. In multi-agent environments, treat each agent's memory tool surface as an exploitable boundary and apply least-privilege access controls accordingly.
What systems are affected by GHSA-f934-5rqf-xx47?
This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Memory-augmented agents, Multi-agent orchestration.
What is the CVSS score for GHSA-f934-5rqf-xx47?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0037 Data from Local System AML.T0053 AI Agent Tool Invocation AML.T0080.000 Memory AML.T0085.001 AI Agent Tools Compliance Controls Affected
What are the technical details?
Original Advisory
## Summary The QMD backend `memory_get` read path accepted arbitrary workspace Markdown paths that were inside the workspace but outside the canonical memory locations or indexed QMD result set. ## Impact When the QMD backend was enabled, a caller with access to `memory_get` could read arbitrary `*.md` files under the configured workspace root, even when those files were not canonical memory files and had not been returned by QMD search. Severity remains low because exploitation requires access to the memory tool surface and is limited to workspace Markdown files, but it bypassed the intended memory-path policy. ## Affected versions - Affected: `< 2026.4.15` - Patched: `2026.4.15` ## Fix OpenClaw `2026.4.15` restricts QMD reads to canonical memory paths or previously indexed QMD workspace paths. Workspace containment alone is no longer sufficient. Verified in `v2026.4.15`: - `extensions/memory-core/src/memory/qmd-manager.ts` rejects non-default workspace Markdown paths unless they match an indexed QMD workspace read path. - `extensions/memory-core/src/memory/qmd-manager.test.ts` covers QMD session search-result reads and the read-path restriction behavior. Fix commit included in `v2026.4.15` and absent from `v2026.4.14`: - `37d5971db36491d5050efd42c333cbe0b98ed292` via PR #66026 Thanks to @zsxsoft, Keen Security Lab, and @qclawer for reporting this issue.
Exploitation Scenario
An adversary with legitimate or compromised access to an OpenClaw agent's memory tool — obtained via a poisoned skill, a jailbroken agent session, a stolen API token, or a compromised sub-agent — calls memory_get with a crafted path pointing to a non-canonical Markdown file such as a workspace README containing infrastructure notes, a configuration fragment with API endpoint references, or an agent persona file with embedded credentials. The QMD backend prior to 2026.4.15 validates only that the path falls within the workspace root, so the attacker bypasses the memory-path policy and reads files outside the intended index. In a multi-agent orchestration environment, a single compromised sub-agent could systematically enumerate and exfiltrate workspace knowledge to an adversary-controlled endpoint, piggybacking on the agent's existing tool invocation capabilities.
Weaknesses (CWE)
CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
- [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
- [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 OpenClaw: scope bypass escalates low-priv to admin
Same package: openclaw CVE-2026-32922 9.9 OpenClaw: privilege escalation to RCE via token scope bypass
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw CVE-2026-32038 9.8 Analysis pending
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw