# CVE-2026-43533 + CVE-2026-43526 + CVE-2026-43566 – Multiple vulnerabilities in OpenClaw QQBot
## Summary
Three vulnerabilities have been disclosed in **OpenClaw** affecting its **QQBot** component. Taken together, they allow an unauthenticated remote attacker to read arbitrary local files, perform server-side request forgery, and escalate privileges — all without user interaction. Organizations running OpenClaw should patch immediately.
| CVE | Type | CVSS | Severity | Fixed in |
|—–|——|——|———-|———-|
| CVE-2026-43533 | Arbitrary file read / Path traversal | 8.6 | HIGH | 2026.4.10 |
| CVE-2026-43526 | Server-Side Request Forgery (SSRF) | 8.2–8.3 | HIGH | 2026.4.12 |
| CVE-2026-43566 | Privilege escalation via webhook events | 9.1 | CRITICAL | 2026.4.14 |
—
### CVE-2026-43533 — Arbitrary Local File Read (CWE-23)
– **Root cause:** Insufficient validation when resolving QQBot media tags, allowing references to host-local file system paths outside the intended media storage sandbox.
– **Attack vector:** Network — attacker sends crafted reply text containing malicious media tags.
– **Authentication / privileges:** None required; no user interaction.
– **CVSS v3.1:** 8.6 (HIGH)
– **Impact:** High confidentiality — attackers can read arbitrary files on the host (config files, credentials, SSH keys, etc.).
– **Fixed in:** OpenClaw 2026.4.10
—
### CVE-2026-43526 — Server-Side Request Forgery in Media URL Handling (CWE-918)
– **Root cause:** QQBot’s media URL handling does not restrict outbound requests, allowing attackers to supply malicious URLs that cause the server to fetch arbitrary content; retrieved data is subsequently re-uploaded through the channel.
– **Attack vector:** Network — attacker provides a crafted media URL in a message.
– **Authentication / privileges:** None required; no user interaction.
– **CVSS v3.1:** 8.2 / CVSS v4.0: 8.3 (HIGH)
– **Impact:** High confidentiality, low integrity — internal service enumeration, credential harvesting from metadata endpoints, and exfiltration of internal content.
– **Fixed in:** OpenClaw 2026.4.12
—
### CVE-2026-43566 — Privilege Escalation via Webhook Wake Events (CWE-184)
– **Root cause:** Heartbeat owner downgrade logic skips webhook wake events carrying untrusted content, allowing an attacker to inject webhook events that bypass privilege checks.
– **Attack vector:** Network — attacker sends a crafted webhook wake event.
– **Authentication / privileges:** None required; no user interaction.
– **CVSS v3.1 / v4.0:** 9.1 (CRITICAL)
– **Affected versions:** OpenClaw 2026.4.7 through 2026.4.13.
– **Impact:** High confidentiality and integrity — attacker can escalate to a privileged role and manipulate bot behavior or exfiltrate data.
– **Fixed in:** OpenClaw 2026.4.14
—
### Potential Risks (Combined)
These three vulnerabilities can be chained for maximum impact:
– CVE-2026-43526 (SSRF) can be used to reach internal services and extract credentials or tokens.
– CVE-2026-43533 (file read) enables direct exfiltration of SSH keys, environment files, and application secrets.
– CVE-2026-43566 (privilege escalation) allows an attacker to take over bot-level privileges and use the bot as a pivot point for lateral movement or data manipulation.
– All three are unauthenticated and require no user interaction, making them exploitable purely over the network.
### Mitigation / Remediation
– **Upgrade to OpenClaw 2026.4.14 or later** — this is the single version that resolves all three vulnerabilities.
– If immediate upgrade is not possible, apply fixes incrementally: 2026.4.10 (CVE-2026-43533), then 2026.4.12 (CVE-2026-43526), then 2026.4.14 (CVE-2026-43566).
– Restrict network access to OpenClaw instances (block untrusted inbound sources).
– Monitor outbound media requests for anomalous patterns (unexpected internal IP targets, local file path references).
– Review webhook event handling logs for unexpected privilege escalation attempts.
—
## IONIX Status
The IONIX research team is tracking ongoing exploitation attempts across all three vulnerabilities and recommends immediate patching to OpenClaw 2026.4.14. Potentially affected assets are outlined in this post.
References: