Description

OpenClaw versions 2026.4.7 before 2026.4.15 fail to enforce local-root containment on tool-result media paths, allowing arbitrary local and UNC file access. Attackers can craft malicious tool-result media references to trigger host-side file reads or Windows network path access, potentially disclosing sensitive files or exposing credentials.

INFO

Published Date :

2026-04-20T17:48:43.704Z

Last Modified :

2026-04-20T18:05:03.103Z

Source :

VulnCheck
AFFECTED PRODUCTS

The following products are affected by CVE-2026-41389 vulnerability.

Vendors Products
Openclaw
  • Openclaw
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-41389.

URL Resource
https://github.com/openclaw/openclaw/commit/1470de5d3e0970856d86cd99336bb8ada3fe87da cve-icon cve-icon
https://github.com/openclaw/openclaw/commit/52ef42302ead9e183e6c8810e0a04ee4ef8ae9fc cve-icon cve-icon
https://github.com/openclaw/openclaw/commit/6e58f1f9f54bca1fea1268ec0ee4c01a2af03dde cve-icon cve-icon
https://github.com/openclaw/openclaw/security/advisories/GHSA-mr34-9552-qr95 cve-icon cve-icon
https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-unvalidated-tool-result-media-paths cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact