Arbitrary File Read Vulnerability in OpenClaw by OpenClaw Vendor
CVE-2026-44111

2.3LOW

Key Information:

Vendor: Openclaw
Status: Openclaw
Vendor: CVE Published:; 6 May 2026

What is CVE-2026-44111?

OpenClaw, prior to version 2026.4.15, is affected by an arbitrary file read vulnerability located in the QMD backend's memory_get function. This flaw permits attackers to read any Markdown files located within the workspace root. Through exploiting this vulnerability, individuals with access to the memory tool can circumvent established path restrictions, allowing them to specify arbitrary Markdown file paths. Consequently, this can lead to unauthorized access to files that reside outside the designated memory locations or indexed QMD result sets.

Affected Version(s)

OpenClaw 0 < 2026.4.15

OpenClaw 2026.4.15

References

https://github.com/openclaw/openclaw/security/advisories/...

vendor-advisory

https://github.com/openclaw/openclaw/commit/37d5971db3649...

patch

https://www.vulncheck.com/advisories/openclaw-arbitrary-m...

third-party-advisory

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2026
Vulnerability Reserved
May 5, 2026

Credit

zsx (@zsxsoft)

KeenSecurityLab

qclawer

CVE-2026-44111 Data

JSON

Openclaw

What is CVE-2026-44111?

Affected Version(s)

References

CVSS V4

Timeline

Credit