OpenClaw
CVE-2026-41366
MEDIUM
Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Blast Radius
ecosystem impact- 1 npm packages depend on openclaw (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.3.31.
DescriptionCVE.org
OpenClaw before 2026.3.31 contains a local roots self-whitelisting vulnerability in appendLocalMediaParentRoots that allows model-initiated arbitrary host file read. Attackers can exploit improper media parent directory validation to exfiltrate credentials and access sensitive files.
AnalysisAI
OpenClaw before version 2026.3.31 allows authenticated attackers to read arbitrary host files through improper validation in the appendLocalMediaParentRoots function, enabling exfiltration of credentials and sensitive data. The vulnerability permits model-initiated file access by exploiting a self-whitelisting mechanism that fails to properly validate media parent directory paths. Authentication is required, but the flaw affects confidentiality with a CVSS score of 6.0.
Technical ContextAI
OpenClaw's appendLocalMediaParentRoots function implements media library path management but fails to properly validate parent directory references before adding them to the whitelist. The root cause (CWE-732: Incorrect Permission Assignment for Critical Resource) indicates that the application grants excessive permissions or fails to enforce proper access controls on file system operations. Attackers can manipulate directory path validation to escape intended sandbox boundaries and access files outside the designated media directory. This is a local file disclosure vulnerability at the application layer, where the model or application layer can be induced to read arbitrary files through crafted path inputs.
RemediationAI
Upgrade to OpenClaw version 2026.3.31 or later, which includes fixes for the appendLocalMediaParentRoots validation logic. The upstream fix is available at https://github.com/openclaw/openclaw/commit/1ca4261d7e055d0be141ed79ebb1365d0fbc7364. As an interim compensating control, restrict the file system permissions of the OpenClaw process to exclude access to sensitive directories (e.g., /etc, /root, credential stores) using OS-level file access controls (SELinux, AppArmor, or Windows file ACLs). Additionally, disable or restrict the model inference feature if it is not required, and isolate OpenClaw in a container or sandbox with minimal file system permissions to limit the scope of readable files. These controls reduce exposure but do not eliminate the vulnerability; patching is the primary remediation.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today