SeverityMODERATE
Repositoryopenclaw/openclaw
PublishedApr 7, 2026, 6:15 PM
Ref5c36c2d0d2cc84b6dd856db9602cc93331bf7919
Advisory summary
OpenClaw: QQ Bot structured payloads could read arbitrary local files
Curator analysis
Synopsis
QQ Bot structured media payloads accepted attacker-chosen local file paths and read them for upload without enforcing that the path stayed inside QQ Bot-owned media storage, enabling arbitrary local file disclosure.
Vulnerability classes
path traversalarbitrary local file read
Sink hints
extensions/qqbot/src/reply-dispatcher.ts
Structured media payload handlers consume payload.path, read local files, and forward their contents through QQ Bot media-send APIs. The fix adds local-path validation here before file reads.
extensions/qqbot/src/utils/platform.ts
The fix adds a new resolver that canonicalizes structured-payload local paths and restricts them to the QQ Bot media directory, indicating the previous path-resolution behavior was too permissive.
Expected components
QQ Bot structured payload dispatcherQQ Bot local media path resolution
Model scores(5)
openai/gpt-5.4excellent
96.00View trace
Target Alignment
29
Source To Sink Reasoning
29
Impact And Exploitability
19
Evidence Quality
10
Overclaim Control
9
google/gemini-3.1-pro-previewexcellent
93.20View trace
Target Alignment
95
Source To Sink Reasoning
92
Impact And Exploitability
93
Evidence Quality
90
Overclaim Control
96
z-ai/glm-5.1excellent
88.00View trace
Target Alignment
27
Source To Sink Reasoning
28
Impact And Exploitability
17
Evidence Quality
8
Overclaim Control
8
moonshotai/kimi-k2.5excellent
82.00View trace
Target Alignment
26
Source To Sink Reasoning
24
Impact And Exploitability
17
Evidence Quality
6
Overclaim Control
9
anthropic/claude-opus-4.6partial
81.00View trace
Target Alignment
25
Source To Sink Reasoning
24
Impact And Exploitability
17
Evidence Quality
8
Overclaim Control
7