GHSA-f934-5rqf-xx47: Arbitrary Workspace File Read via Path Restriction Bypass in OpenClaw

OpenClaw is an AI assistant framework designed to automate tasks and manage conversational context. The Queryable Markdown (QMD) component handles the storage and retrieval of conversational memory files. The vulnerability identified as GHSA-f934-5rqf-xx47 is an arbitrary file read flaw, specifically categorized as an improper path limitation (CWE-22) residing in the memory_get tool.

The QmdMemoryManager acts as the primary interface for fetching conversational states and agent history. It exposes a file reading mechanism intended strictly for designated memory documentation. The vulnerability arises from insufficient path validation during file retrieval requests processed by this manager.

Attackers leverage this vulnerability to repurpose the memory_get tool as a generic workspace-file read shim. By supplying crafted relative paths, an authenticated user or autonomous agent can extract sensitive Markdown files stored within the workspace boundary. This circumvents intended access control policies, leading to unauthorized localized information disclosure.

The root cause resides in the QmdMemoryManager.resolveReadPath method located within the extensions/memory-core/src/memory/qmd-manager.ts file. This method is responsible for validating requested file paths before passing them to the underlying file system read operations.

In vulnerable versions, the application implemented a solitary security boundary: verifying that the absolute path of the requested file fell within the user's workspace directory. The application relied entirely on the isWithinWorkspace function to prevent standard directory traversal attacks aimed at the host operating system.

This validation logic failed to account for intra-workspace access controls and intended functional boundaries. The memory_get tool is specifically designed to interact with conversational memory files, but the permissive spatial check allowed it to read any Markdown file residing anywhere within the workspace structure.

The vulnerable implementation of resolveReadPath strictly checked for workspace containment. If a requested path did not escape the workspace root directory, the function returned the absolute path for immediate reading.

private resolveReadPath(absPath: string): string {
  if (!this.isWithinWorkspace(absPath)) {
    throw new Error("path escapes workspace");
  }
  return absPath;
}

The patch introduced in commit 37d5971db36491d5050efd42c333cbe0b98ed292 enforces strict contextual validation. The system now verifies whether the requested file belongs to the canonical memory structure or exists within an actively managed SQLite document index.

private resolveReadPath(absPath: string): string {
    if (!this.isWithinWorkspace(absPath)) {
      throw new Error("path escapes workspace");
    }
    const workspaceRel = path.relative(this.workspaceDir, absPath).replace(/\\/g, "/");
    if (!isDefaultMemoryPath(workspaceRel) && !this.isIndexedWorkspaceReadPath(absPath)) {
      throw new Error("path required");
    }
    return absPath;
}

The isDefaultMemoryPath helper ensures the file aligns with the standard memory structure, checking for specific filenames like MEMORY.md and DREAMS.md, or paths within the memory/ subdirectory. The isIndexedWorkspaceReadPath method queries the local SQLite database to confirm the requested file is explicitly registered as an active memory document before permitting read access.

Exploitation requires the attacker to possess the authorization necessary to invoke the memory_get tool. This capability is typically available to authenticated users or AI agents operating within the OpenClaw environment. The target of the exploit must be a Markdown file stored within the workspace boundary but outside the designated memory directories.

The attacker initiates the exploit by sending a request to an exposed application interface, such as a QQBot media tag or a direct API tool call. The payload contains a relPath parameter pointing to the targeted sensitive file, such as notes/passwords.md or .memory/hidden_secrets.md.

The application processes the request through the vulnerable QmdMemoryManager. Since the target file is spatially located within the workspace boundary, the isWithinWorkspace validation succeeds. The system reads the target file from disk and returns its contents directly in the tool response.

The official unit tests introduced alongside the patch demonstrate this precise attack vector. The test case provisions a secret file outside the memory path and attempts to retrieve it.

it("rejects non-memory workspace markdown reads", async () => {
    await fs.writeFile(path.join(workspaceDir, "window.md"), "secret content", "utf-8");
    
    const { manager } = await createManager();
 
    await expect(manager.readFile({ relPath: "window.md" })).rejects.toThrow("path required");
});

The primary consequence of this vulnerability is unauthorized localized information disclosure within the context of the OpenClaw workspace. An attacker acquires read access to sensitive data stored in Markdown files that were explicitly not intended for exposure through the AI assistant's conversational memory interface.

The vulnerability carries a CVSS v3.1 base score of 4.3 (Medium), reflecting the constrained scope of the issue. The assigned vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N indicates a network-exploitable flaw that necessitates low user privileges and zero user interaction to execute successfully.

While the vulnerability does not permit arbitrary file reads from the underlying host operating system, the exposure of intra-workspace files directly compromises application data confidentiality. Development and operational workspaces frequently contain environment configuration data, private operational notes, or internal documentation that attackers can extract to facilitate further lateral movement or privilege escalation against other systems.

The vulnerability is fully addressed in OpenClaw version 2026.4.14. System administrators, security engineers, and developers must upgrade the openclaw npm package to this version or a later release to enforce strict file path validation.

The updated release relies on the modified QmdMemoryManager to properly validate memory file requests against both the canonical file structure and the active SQLite document index. This implementation guarantees that the memory_get tool operates solely within its intended scope and cannot function as a general-purpose file reader.

As an interim mitigation strategy for deployments unable to immediately patch, administrators must review the file structure of their OpenClaw workspaces. Sensitive information should be actively purged from Markdown files stored within the workspace directory or relocated to secure storage external to the AI framework's operational boundary. Additionally, security teams should configure monitoring alerts for anomalous memory_get requests targeting non-standard file paths to detect potential exploitation attempts.