CVE-2026-4040 (GCVE-0-2026-4040)
Vulnerability from cvelistv5 – Published: 2026-03-12 12:02 – Updated: 2026-03-12 13:08 X_Open Source
VLAI?
Title
OpenClaw File Existence tools.exec.safeBins information exposure
Summary
A vulnerability was identified in OpenClaw up to 2026.2.17. This issue affects the function tools.exec.safeBins of the component File Existence Handler. The manipulation leads to information exposure through discrepancy. The attack needs to be performed locally. Upgrading to version 2026.2.19-beta.1 is capable of addressing this issue. The identifier of the patch is bafdbb6f112409a65decd3d4e7350fbd637c7754. Upgrading the affected component is advised.
Severity ?
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | OpenClaw |
Affected:
2026.2.0
Affected: 2026.2.1 Affected: 2026.2.2 Affected: 2026.2.3 Affected: 2026.2.4 Affected: 2026.2.5 Affected: 2026.2.6 Affected: 2026.2.7 Affected: 2026.2.8 Affected: 2026.2.9 Affected: 2026.2.10 Affected: 2026.2.11 Affected: 2026.2.12 Affected: 2026.2.13 Affected: 2026.2.14 Affected: 2026.2.15 Affected: 2026.2.16 Affected: 2026.2.17 Unaffected: 2026.2.19-beta.1 cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:* |
Credits
nedlir (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4040",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-12T13:08:04.596893Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-12T13:08:57.088Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*"
],
"modules": [
"File Existence Handler"
],
"product": "OpenClaw",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "2026.2.0"
},
{
"status": "affected",
"version": "2026.2.1"
},
{
"status": "affected",
"version": "2026.2.2"
},
{
"status": "affected",
"version": "2026.2.3"
},
{
"status": "affected",
"version": "2026.2.4"
},
{
"status": "affected",
"version": "2026.2.5"
},
{
"status": "affected",
"version": "2026.2.6"
},
{
"status": "affected",
"version": "2026.2.7"
},
{
"status": "affected",
"version": "2026.2.8"
},
{
"status": "affected",
"version": "2026.2.9"
},
{
"status": "affected",
"version": "2026.2.10"
},
{
"status": "affected",
"version": "2026.2.11"
},
{
"status": "affected",
"version": "2026.2.12"
},
{
"status": "affected",
"version": "2026.2.13"
},
{
"status": "affected",
"version": "2026.2.14"
},
{
"status": "affected",
"version": "2026.2.15"
},
{
"status": "affected",
"version": "2026.2.16"
},
{
"status": "affected",
"version": "2026.2.17"
},
{
"status": "unaffected",
"version": "2026.2.19-beta.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "nedlir (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in OpenClaw up to 2026.2.17. This issue affects the function tools.exec.safeBins of the component File Existence Handler. The manipulation leads to information exposure through discrepancy. The attack needs to be performed locally. Upgrading to version 2026.2.19-beta.1 is capable of addressing this issue. The identifier of the patch is bafdbb6f112409a65decd3d4e7350fbd637c7754. Upgrading the affected component is advised."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 1.7,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-203",
"description": "Information Exposure Through Discrepancy",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "Information Disclosure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-12T12:02:14.140Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-350652 | OpenClaw File Existence tools.exec.safeBins information exposure",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.350652"
},
{
"name": "VDB-350652 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.350652"
},
{
"name": "Submit #769581 | openclaw 2026.2.17 Information Disclosure",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.769581"
},
{
"tags": [
"related"
],
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6c9j-x93c-rw6j"
},
{
"tags": [
"patch"
],
"url": "https://github.com/openclaw/openclaw/commit/bafdbb6f112409a65decd3d4e7350fbd637c7754"
},
{
"tags": [
"patch"
],
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.19-beta.1"
},
{
"tags": [
"product"
],
"url": "https://github.com/openclaw/openclaw/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-03-12T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-12T01:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-12T07:51:24.000Z",
"value": "VulDB entry last update"
}
],
"title": "OpenClaw File Existence tools.exec.safeBins information exposure"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-4040",
"datePublished": "2026-03-12T12:02:14.140Z",
"dateReserved": "2026-03-12T06:46:15.510Z",
"dateUpdated": "2026-03-12T13:08:57.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-4040",
"date": "2026-04-16",
"epss": "0.00016",
"percentile": "0.03539"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-4040\",\"sourceIdentifier\":\"cna@vuldb.com\",\"published\":\"2026-03-12T12:15:59.990\",\"lastModified\":\"2026-03-16T18:06:44.927\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability was identified in OpenClaw up to 2026.2.17. This issue affects the function tools.exec.safeBins of the component File Existence Handler. The manipulation leads to information exposure through discrepancy. The attack needs to be performed locally. Upgrading to version 2026.2.19-beta.1 is capable of addressing this issue. The identifier of the patch is bafdbb6f112409a65decd3d4e7350fbd637c7754. Upgrading the affected component is advised.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad fue identificada en OpenClaw hasta 2026.2.17. Este problema afecta la funci\u00f3n tools.exec.safeBins del componente Gestor de Existencia de Archivos. La manipulaci\u00f3n conduce a la exposici\u00f3n de informaci\u00f3n a trav\u00e9s de discrepancia. El ataque necesita ser realizado localmente. La actualizaci\u00f3n a la versi\u00f3n 2026.2.19-beta.1 es capaz de abordar este problema. El identificador del parche es bafdbb6f112409a65decd3d4e7350fbd637c7754. Se aconseja actualizar el componente afectado.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":4.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":3.3,\"baseSeverity\":\"LOW\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:S/C:P/I:N/A:N\",\"baseScore\":1.7,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":3.1,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"},{\"lang\":\"en\",\"value\":\"CWE-203\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"2026.2.0\",\"versionEndExcluding\":\"2026.2.19\",\"matchCriteriaId\":\"8CC6E93F-D95F-4CE4-962A-B656C4EF8956\"}]}]}],\"references\":[{\"url\":\"https://github.com/openclaw/openclaw/\",\"source\":\"cna@vuldb.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/openclaw/openclaw/commit/bafdbb6f112409a65decd3d4e7350fbd637c7754\",\"source\":\"cna@vuldb.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/openclaw/openclaw/releases/tag/v2026.2.19-beta.1\",\"source\":\"cna@vuldb.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/openclaw/openclaw/security/advisories/GHSA-6c9j-x93c-rw6j\",\"source\":\"cna@vuldb.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://vuldb.com/?ctiid.350652\",\"source\":\"cna@vuldb.com\",\"tags\":[\"Permissions Required\",\"VDB Entry\"]},{\"url\":\"https://vuldb.com/?id.350652\",\"source\":\"cna@vuldb.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://vuldb.com/?submit.769581\",\"source\":\"cna@vuldb.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-4040\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-12T13:08:04.596893Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-12T13:08:10.108Z\"}}], \"cna\": {\"tags\": [\"x_open-source\"], \"title\": \"OpenClaw File Existence tools.exec.safeBins information exposure\", \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"nedlir (VulDB User)\"}], \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 4.8, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X\"}}, {\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 3.3, \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C\"}}, {\"cvssV3_0\": {\"version\": \"3.0\", \"baseScore\": 3.3, \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C\"}}, {\"cvssV2_0\": {\"version\": \"2.0\", \"baseScore\": 1.7, \"vectorString\": \"AV:L/AC:L/Au:S/C:P/I:N/A:N/E:ND/RL:OF/RC:C\"}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*\"], \"vendor\": \"n/a\", \"modules\": [\"File Existence Handler\"], \"product\": \"OpenClaw\", \"versions\": [{\"status\": \"affected\", \"version\": \"2026.2.0\"}, {\"status\": \"affected\", \"version\": \"2026.2.1\"}, {\"status\": \"affected\", \"version\": \"2026.2.2\"}, {\"status\": \"affected\", \"version\": \"2026.2.3\"}, {\"status\": \"affected\", \"version\": \"2026.2.4\"}, {\"status\": \"affected\", \"version\": \"2026.2.5\"}, {\"status\": \"affected\", \"version\": \"2026.2.6\"}, {\"status\": \"affected\", \"version\": \"2026.2.7\"}, {\"status\": \"affected\", \"version\": \"2026.2.8\"}, {\"status\": \"affected\", \"version\": \"2026.2.9\"}, {\"status\": \"affected\", \"version\": \"2026.2.10\"}, {\"status\": \"affected\", \"version\": \"2026.2.11\"}, {\"status\": \"affected\", \"version\": \"2026.2.12\"}, {\"status\": \"affected\", \"version\": \"2026.2.13\"}, {\"status\": \"affected\", \"version\": \"2026.2.14\"}, {\"status\": \"affected\", \"version\": \"2026.2.15\"}, {\"status\": \"affected\", \"version\": \"2026.2.16\"}, {\"status\": \"affected\", \"version\": \"2026.2.17\"}, {\"status\": \"unaffected\", \"version\": \"2026.2.19-beta.1\"}]}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-03-12T00:00:00.000Z\", \"value\": \"Advisory disclosed\"}, {\"lang\": \"en\", \"time\": \"2026-03-12T01:00:00.000Z\", \"value\": \"VulDB entry created\"}, {\"lang\": \"en\", \"time\": \"2026-03-12T07:51:24.000Z\", \"value\": \"VulDB entry last update\"}], \"references\": [{\"url\": \"https://vuldb.com/?id.350652\", \"name\": \"VDB-350652 | OpenClaw File Existence tools.exec.safeBins information exposure\", \"tags\": [\"vdb-entry\", \"technical-description\"]}, {\"url\": \"https://vuldb.com/?ctiid.350652\", \"name\": \"VDB-350652 | CTI Indicators (IOB, IOC, TTP, IOA)\", \"tags\": [\"signature\", \"permissions-required\"]}, {\"url\": \"https://vuldb.com/?submit.769581\", \"name\": \"Submit #769581 | openclaw 2026.2.17 Information Disclosure\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://github.com/openclaw/openclaw/security/advisories/GHSA-6c9j-x93c-rw6j\", \"tags\": [\"related\"]}, {\"url\": \"https://github.com/openclaw/openclaw/commit/bafdbb6f112409a65decd3d4e7350fbd637c7754\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/openclaw/openclaw/releases/tag/v2026.2.19-beta.1\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/openclaw/openclaw/\", \"tags\": [\"product\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability was identified in OpenClaw up to 2026.2.17. This issue affects the function tools.exec.safeBins of the component File Existence Handler. The manipulation leads to information exposure through discrepancy. The attack needs to be performed locally. Upgrading to version 2026.2.19-beta.1 is capable of addressing this issue. The identifier of the patch is bafdbb6f112409a65decd3d4e7350fbd637c7754. Upgrading the affected component is advised.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-203\", \"description\": \"Information Exposure Through Discrepancy\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"Information Disclosure\"}]}], \"providerMetadata\": {\"orgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"shortName\": \"VulDB\", \"dateUpdated\": \"2026-03-12T12:02:14.140Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-4040\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-12T13:08:57.088Z\", \"dateReserved\": \"2026-03-12T06:46:15.510Z\", \"assignerOrgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"datePublished\": \"2026-03-12T12:02:14.140Z\", \"assignerShortName\": \"VulDB\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…