Path Traversal in OpenClaw QQBot Media Tag Processing

OpenClaw before version 2026.4.10 suffers from an arbitrary file read vulnerability in its QQBot media tag handling mechanism. Attackers can craft malicious reply text containing specially crafted media tags that reference host-local file paths outside the intended media storage directory, enabling unauthorized disclosure of sensitive files. This vulnerability affects any organization deploying OpenClaw versions prior to 2026.4.10 with QQBot functionality enabled, particularly those processing untrusted user-supplied chat replies. The attack requires no special privileges—an attacker simply needs to inject malicious media tags into bot reply text to exfiltrate confidential data through the platform's outbound media handling routines.

While this CVE does not currently map to specific MITRE ATT&CK techniques in public frameworks, the underlying attack pattern aligns with discovery and exfiltration tactics. Casky's platform, leveraging Claude AI with extended reasoning capabilities, would detect this vulnerability pattern by analyzing outbound media handling workflows for path traversal indicators—including parent directory references (../, ..\ sequences), absolute path specifications, and symbolic link resolution attempts. Practitioners using Casky would observe findings focused on input validation gaps in media tag parsing, improper path canonicalization, and missing boundary enforcement checks that allow directory traversal. The platform's reasoning engine would correlate suspicious media tag syntax patterns with file system access logs to highlight attack chains before exploitation occurs, enabling teams to patch or implement compensating controls before OpenClaw instances are compromised.