GHSA-f934-5rqf-xx47
OpenClaw: QMD memory_get restricts reads to canonical or indexed memory paths
Details
## Summary
The QMD backend `memory_get` read path accepted arbitrary workspace Markdown paths that were inside the workspace but outside the canonical memory locations or indexed QMD result set.
## Impact
When the QMD backend was enabled, a caller with access to `memory_get` could read arbitrary `*.md` files under the configured workspace root, even when those files were not canonical memory files and had not been returned by QMD search. Severity remains low because exploitation requires access to the memory tool surface and is limited to workspace Markdown files, but it bypassed the intended memory-path policy.
## Affected versions
- Affected: `< 2026.4.15` - Patched: `2026.4.15`
## Fix
OpenClaw `2026.4.15` restricts QMD reads to canonical memory paths or previously indexed QMD workspace paths. Workspace containment alone is no longer sufficient.
Verified in `v2026.4.15`:
- `extensions/memory-core/src/memory/qmd-manager.ts` rejects non-default workspace Markdown paths unless they match an indexed QMD workspace read path. - `extensions/memory-core/src/memory/qmd-manager.test.ts` covers QMD session search-result reads and the read-path restriction behavior.
Fix commit included in `v2026.4.15` and absent from `v2026.4.14`:
- `37d5971db36491d5050efd42c333cbe0b98ed292` via PR #66026
Thanks to @zsxsoft, Keen Security Lab, and @qclawer for reporting this issue.
Are you affected?
Enter the version of the package you're using.