CVE-2026-43533HIGH 8.6EPSS p28.6%

CVE-2026-43533CVE-2026-43533

Description

OpenClaw before 2026.4.10 contains an arbitrary file read vulnerability in QQBot media tags that allows attackers to reference host-local paths outside the intended media storage boundary. Attackers can craft malicious reply text containing media tags to disclose arbitrary local files through outbound media handling.

Scoring

CVSS 3.18.6 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS0.37% probability of exploitation · percentile 28.6% · 2026-06-19T12:03:05Z
Published2026-05-05
Last modified2026-05-07

Underlying weaknesses· 1

CWE-23

References

  1. https://github.com/openclaw/openclaw/commit/604777e4414cc3b2ff8861f18f4fb04374c702c6
  2. https://github.com/openclaw/openclaw/security/advisories/GHSA-66r7-m7xm-v49h
  3. https://www.vulncheck.com/advisories/openclaw-arbitrary-local-file-read-via-qqbot-media-tags

1

TypeTargetConfidenceTier
WeaknessRelative Path Traversalcwe-230%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-43526
CVE
CVE-2026-41914
CVE
CVE-2026-33581
CVE
CVE-2026-34507
CVE
CVE-2026-22171
CVE
CVE-2026-32026
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.