CVE-2026-43577

MEDIUM 6.5

OpenClaw < 2026.4.9 - Arbitrary File Read via Browser Interaction Routes

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

OpenClaw before 2026.4.9 contains a file read vulnerability allowing attackers to bypass navigation guards through browser act/evaluate interactions. Attackers can pivot into the local CDP origin and create or read disallowed file:// pages despite direct navigation policy restrictions.

CWE	CWE-862
Vendor	openclaw
Product	openclaw
Published	May 6, 2026

Stay Ahead of the Next One

Get instant alerts for openclaw openclaw

Be the first to know when new medium vulnerabilities affecting openclaw openclaw are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

OpenClaw / OpenClaw

0 < 2026.4.9

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/openclaw/openclaw/security/advisories/GHSA-qmwg-qprg-3j38 github.com: https://github.com/openclaw/openclaw/commit/5f5b3d733bdd791cb457f838514179e1288b10b3 vulncheck.com: https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-browser-interaction-routes

Credits

🔍 tdjackey