Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
OpenClaw versions 2026.4.7 before 2026.4.10 fail to normalize Discord event cover image parameters in sandbox media processing. Attackers can bypass media normalization to inject host-local media references into channel action paths expecting normalized media.
AnalysisAI
Path traversal in OpenClaw npm package allows authenticated attackers to expose confidential host-local files via Discord event cover image parameters. Versions 2026.4.7 through 2026.4.9 fail to normalize Discord event cover image paths through sandbox media processing, enabling attackers with low-privilege Discord bot credentials to bypass media sandboxing and inject host-local file references (e.g., file:///workspace/assets/event-cover.png) into channel actions expecting normalized media. This results in high confidentiality impact with scope change, as local filesystem paths outside the intended sandbox can be accessed. Vendor-released patch available (2026.4.10+). No active exploitation confirmed (not in CISA KEV), but public exploit code exists via GitHub commit and advisory.
Technical ContextAI
OpenClaw is an npm package providing Discord bot integration capabilities. The vulnerability stems from CWE-184 (Incomplete List of Disallowed Inputs), where the sandbox media normalization function checked only specific parameter keys ('media', 'path', 'filePath', 'mediaUrl', 'fileUrl') but omitted the 'image' parameter used by Discord's eventCreate API. When processing Discord event cover images, the code failed to rewrite file:// URIs pointing to host-local paths into sandbox-rooted paths. This allowed an attacker to craft Discord event creation requests with 'image' parameters containing absolute filesystem paths that would bypass the normalization routine and reach downstream channel action handlers expecting only sandboxed media references. The fix adds 'image' to the SANDBOX_MEDIA_PARAM_KEYS allowlist and includes test coverage for the event-create media path, ensuring all user-controllable media parameters undergo path rewriting before reaching sensitive file operations.
RemediationAI
Upgrade to OpenClaw version 2026.4.10 or newer immediately. The vendor-released patch is confirmed in stable tag v2026.4.10, with the latest npm release 2026.4.14 already including the fix. Update via npm with 'npm install openclaw@latest' or specify 'openclaw@^2026.4.10' in package.json dependencies. The fix commit 979c6f09d6fad96596feb91c905934be7e0b4f15 (PR #64377) adds 'image' to the SANDBOX_MEDIA_PARAM_KEYS array, ensuring Discord event cover images undergo the same path normalization as other media parameters. If immediate upgrade is not feasible, implement compensating controls: (1) Restrict Discord bot permissions to prevent event creation capabilities - this eliminates the attack vector but breaks event management functionality; (2) Deploy OpenClaw bot processes in isolated containers with read-only filesystem mounts for workspace directories, limiting exposure of sensitive files - adds operational overhead and may impact legitimate media operations; (3) Implement application-layer input validation to reject file:// URIs in all Discord API parameters before they reach OpenClaw - requires code changes and thorough testing of all media workflows. None of these workarounds are preferable to the vendor patch. Refer to GitHub advisory https://github.com/openclaw/openclaw/security/advisories/GHSA-c9h3-5p7r-mrjh and patch commit https://github.com/openclaw/openclaw/commit/979c6f09d6fad96596feb91c905934be7e0b4f15 for full technical details.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-184 – Incomplete List of Disallowed Inputs
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27275