CVE-2026-26329 - OpenClaw browser upload file read
OpenClaw versions before 2026.2.14 allowed authenticated browser-tool users
to pass absolute or traversal paths into upload/file-chooser flows. The Gateway
then handed those paths to Playwright file upload APIs, allowing page
JavaScript, browser snapshots, or tool outputs to read files from the Gateway
host.
This recipe is meant for agent runtimes and browser-control gateways where “authenticated” does not equal “trusted operator.” A mergeable PR must show which sessions can use browser upload, whether the Gateway is exposed beyond loopback, and how local file upload paths are confined to a temporary upload root.
When to use it
Use this recipe when a repository, browser-control gateway, or OpenClaw agent runtime allows browser upload/file-chooser actions. It supports source-code remediation, file sandbox hardening, browser-tool audit, and evidence that authenticated sessions cannot make the Gateway read arbitrary host files.
Inputs
- OpenClaw version, Gateway deployment, browser upload routes, file chooser helper code, session model, and upload temp-root configuration.
- Source paths that accept file paths, normalize upload selections, call Playwright upload APIs, snapshot browser state, or serialize upload errors.
- Regression fixtures for absolute paths,
..traversal, symlinks, Windows drive paths, UNC paths, and valid temporary upload files. - Boundary evidence for reachable files: host filesystem, browser profiles, credentials, mounted volumes, generated artifacts, and who can use browser upload tools.
Affected versions
- Vulnerable package:
openclaw <2026.2.14 - Fixed package:
openclaw 2026.2.14+ - Affected action: browser tool upload/file chooser paths passed to Playwright file-upload APIs
- Affected entry points: Gateway tool invocation and browser control hook routes that can trigger file upload
- Required attacker capability: authenticated access to the Gateway surface and permission to use the browser tool in the target session
Indicator-of-exposure
- The repository depends on, vendors, builds, or deploys
openclaw <2026.2.14. - Browser tool support is enabled for agent sessions, developer sandboxes, local assistants, CI browser agents, or remote support workflows.
- Gateway access is available over LAN, tailnet, tunnel, reverse proxy, container port publish, cloud dev environment, or browser-accessible localhost context.
- Tool policy allows browser upload or file chooser actions for users, tenants, agents, plugins, or automation accounts that should not read Gateway-host files.
- The Gateway host contains readable secrets, credentials, SSH keys, cloud config, repository files, prompt logs, browser profiles, screenshots, or operator home-directory data.
Quick checks:
rg -n "openclaw|browser.*upload|file-chooser|setInputFiles|DEFAULT_UPLOAD_DIR|tools/invoke|browser.*tool|gateway.*token|Gateway" .
npm ls openclaw
pnpm why openclaw
yarn why openclaw
rg -n "openclaw|setInputFiles|file-chooser|browser.*upload|tools/invoke|DEFAULT_UPLOAD_DIR|browser.*enabled|gateway" package.json package-lock.json pnpm-lock.yaml yarn.lock Dockerfile* docker-compose*.yml compose*.yml src app packages deploy . 2>/dev/null
Windows:
rg -n "openclaw|browser.*upload|file-chooser|setInputFiles|DEFAULT_UPLOAD_DIR|tools/invoke|browser.*tool|gateway.*token|Gateway" .
npm ls openclaw
pnpm why openclaw
yarn why openclaw
rg -n "openclaw|setInputFiles|file-chooser|browser.*upload|tools/invoke|DEFAULT_UPLOAD_DIR|browser.*enabled|gateway" package.json package-lock.json pnpm-lock.yaml yarn.lock Dockerfile* docker-compose*.yml compose*.yml src app packages deploy .
Do not invoke browser upload actions against live Gateways, point file chooser paths at secrets, or let test pages read local files during triage.
Remediation strategy
- Upgrade every controlled OpenClaw dependency, lockfile, image, generated
dependency report, and SBOM to
2026.2.14+. - Constrain browser upload/file-chooser paths to a dedicated temporary upload root. Reject absolute paths, traversal, symlink escapes, and paths outside the root after canonicalization.
- Review browser-tool policy. Only trusted sessions should be able to upload files, and untrusted sessions should receive pre-staged temporary files rather than arbitrary host paths.
- Keep Gateway exposure loopback-only unless protected by explicit authentication, authorization, network policy, and audit logging.
- Add safe local tests that use temporary fixtures and assert that upload actions cannot reference files outside the configured upload root.
- If the vulnerable Gateway was reachable by low-privilege users, review access logs and rotate credentials that may have been readable from the Gateway host.
The prompt
You are remediating CVE-2026-26329 / GHSA-cv7m-c9jx-vg7q, an OpenClaw browser
upload path traversal issue that can read arbitrary files from the Gateway
host. Produce exactly one output:
- A reviewer-ready PR/change request that upgrades OpenClaw, confines browser
upload paths, hardens Gateway/tool policy, adds safe regression coverage,
refreshes generated artifacts, and documents operator review, or
- TRIAGE.md if this repository does not own an affected OpenClaw Gateway or
browser upload surface.
## Rules
- Scope only CVE-2026-26329 / GHSA-cv7m-c9jx-vg7q and directly related
OpenClaw browser upload, file chooser, Gateway exposure, and tool policy
controls.
- Treat Gateway tokens, bearer tokens, cookies, SSH keys, cloud credentials,
browser profiles, prompt logs, screenshots, repository files, operator home
directories, test artifacts, and tool outputs as sensitive.
- Do not invoke live browser upload actions, point file chooser paths at
secrets, exfiltrate local files through page JavaScript, or print sensitive
paths/contents.
- Do not remove authentication, authorization, browser tool policy, audit
logging, upload restrictions, or tests to silence the advisory.
- Do not auto-merge.
## Steps
1. Inventory every OpenClaw runtime controlled by the repository: npm manifests,
lockfiles, workspaces, Dockerfiles, Gateway images, agent runtime configs,
browser tool policies, reverse proxy config, deployment manifests, generated
dependency reports, SBOMs, and runbooks.
2. Determine every resolved `openclaw` version. A target is vulnerable if it
resolves to `<2026.2.14`.
3. Search for browser upload and file chooser paths: `browser` tool enablement,
`upload`, `file-chooser`, `setInputFiles`, `DEFAULT_UPLOAD_DIR`,
`POST /tools/invoke`, `POST /hooks/file-chooser`, local file staging,
Gateway bind addresses, published ports, tunnels, and reverse proxies.
4. Classify Gateway exposure as loopback-only, developer workstation,
container-published, LAN, tailnet, VPN, reverse proxy, cloud dev
environment, internet-facing, or externally owned.
5. Classify browser tool users as trusted developers, admins, support staff,
tenants, automation accounts, plugins, agents, unauthenticated users, or
unknown.
6. If OpenClaw is absent, fixed, or browser upload is not deployed by this
repository, stop with `TRIAGE.md` listing checked files, resolved versions,
and owner/exposure rationale.
7. Upgrade all controlled OpenClaw references to `2026.2.14+`. Refresh locks,
images, generated dependency reports, SBOMs, and docs.
8. Harden upload handling where this repository owns wrappers or config:
- create a dedicated upload staging root;
- reject absolute paths and traversal;
- canonicalize final paths and require them to stay under the staging root;
- reject symlink escapes;
- avoid passing arbitrary host paths to Playwright `setInputFiles`;
- delete staged files after use according to retention policy.
9. Harden Gateway and tool policy:
- bind to loopback unless remote access is explicitly required;
- require authenticated, authorized, audited browser tool use;
- disable upload/file chooser for untrusted sessions;
- avoid mounting secrets, browser profiles, SSH keys, cloud config, or
operator home directories into the Gateway container.
10. Add safe regression checks:
- dependency policy rejects `openclaw <2026.2.14`;
- upload paths outside a temporary staging root are rejected;
- symlink and traversal fixtures cannot reach files outside the root;
- untrusted session policy cannot invoke upload/file chooser actions;
- logs and test output do not include tokens, file contents, or sensitive
local paths.
11. Add a PR body section named `CVE-2026-26329 operator actions` that states:
- OpenClaw versions before and after;
- where Gateway runs and how it is exposed;
- which roles or agents can use browser upload;
- what upload root is enforced;
- whether Gateway credentials, cloud credentials, SSH keys, prompt logs, or
browser profiles require review or rotation;
- which validation commands passed.
12. Run available validation: package install, lockfile integrity, unit tests,
browser upload policy tests with local fixtures, lint/typecheck, image
build, deployment render checks, SBOM refresh, and dependency/security
scans.
13. Use PR title:
`fix(sec): remediate CVE-2026-26329 in OpenClaw browser upload`.
## Stop conditions
- No affected OpenClaw dependency, Gateway runtime, browser upload surface,
image, or generated artifact is controlled by this repository.
- The affected Gateway is owned by another platform or local workstation owner;
name the owner and required fixed version in `TRIAGE.md`.
- A fixed OpenClaw version requires a broader agent runtime migration the agent
cannot safely complete.
- Verification would require live Gateway probes, reading host files, browser
exfiltration, secrets, or production/local operator data.
- Validation fails for unrelated pre-existing reasons; document those failures
instead of broadening scope.
Output contract
- A reviewer-ready PR or change request that upgrades OpenClaw, confines browser uploads to a safe temp root, adds traversal/file-read tests, and documents cleanup for any exposed host paths.
- Or a
TRIAGE.mdfile that lists inspected files, owner, observed version, upload boundary, reachable sessions, required fix, and residual file risk. - The output must include exact validation commands and must not read real host secrets, browser profiles, user files, or production Gateway logs.
Verification - what the reviewer looks for
- No controlled manifest, lockfile, image, SBOM, or generated report resolves
openclaw <2026.2.14. - Browser upload/file chooser paths are confined to a canonical temporary upload root with traversal and symlink escapes rejected.
- Tool policy prevents untrusted sessions from submitting arbitrary host paths to browser upload actions.
- Gateway exposure is loopback or explicitly protected by authn, authz, network policy, and audit logs.
- Operator notes cover credential/log review when low-privilege users could reach the Gateway.
Watch for
- Updating the package while a Docker image, devcontainer, or local installer still pins the vulnerable OpenClaw version.
- Assuming loopback is safe when a browser, remote desktop, tunnel, or container port publish can reach it.
- Confusing “valid Gateway token” with permission to read local files from the Gateway host.
- Checking only traversal strings while symlinks or absolute Windows paths can still escape the upload root.
- Logging file contents or sensitive paths while debugging rejected uploads.
Related recipes
- Source code secrets and data exposure audit
- Source code attack surface map
- Source code authz tenant boundary audit
- NIST SSDF repository evidence check
References
- GitHub Advisory Database: https://github.com/advisories/GHSA-cv7m-c9jx-vg7q
- OpenClaw advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-cv7m-c9jx-vg7q
- OpenClaw 2026.2.14 release: https://github.com/openclaw/openclaw/releases/tag/v2026.2.14
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-26329