CVE-2026-32008

Summary

OpenClaw versions prior to 2026.2.21 contain an improper URL scheme validation vulnerability in the assertBrowserNavigationAllowed() function that allows authenticated users with browser-tool access to navigate to file:// URLs. Attackers can exploit this by accessing local files readable by the OpenClaw process user through browser snapshot and extraction actions to exfiltrate sensitive data.

Affected Software

VendorProductVersion RangeStatus
OpenClawOpenClaw0 < 2026.2.21affected
OpenClawOpenClaw2026.2.21unaffected

Weaknesses

  • CWE-610: CWE-610: Externally Controlled Reference to a Resource in Another Sphere

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References