CVE-2026-43533: OpenClaw: QQBot media tags could read arbitrary local files through reply text

April 17, 2026 (updated May 5, 2026)

QQBot media tags could read arbitrary local files through reply text.

References

github.com/advisories/GHSA-66r7-m7xm-v49h
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/604777e4414cc3b2ff8861f18f4fb04374c702c6
github.com/openclaw/openclaw/pull/63271
github.com/openclaw/openclaw/security/advisories/GHSA-66r7-m7xm-v49h
nvd.nist.gov/vuln/detail/CVE-2026-43533

Code Behaviors & Features

Detect and mitigate CVE-2026-43533 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →