CVE-2026-29611
8.2
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
OpenClaw versions prior to 2026.2.14 contain a local file inclusion vulnerability in BlueBubbles extension (must be installed and enabled) media path handling that allows attackers to read arbitrary files from the local filesystem. The sendBlueBubblesMedia function fails to validate mediaPath parameters against an allowlist, enabling attackers to request sensitive files like /etc/passwd and exfiltrate them as media attachments.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| OpenClaw | OpenClaw | 0 < 2026.2.14 | affected |
Weaknesses
- CWE-73: External Control of File Name or Path
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/openclaw/openclaw/security/advisories/GHSA-rwj8-p9vq-25gv
- https://github.com/openclaw/openclaw/commit/71f357d9498cebb0efe016b0496d5fbe807539fc
- https://www.vulncheck.com/advisories/openclaw-local-file-inclusion-via-mediapath-parameter-in-bluebubbles-media-handling
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.