CVE-2026-41389
Received Received - Intake
Local-Root Containment Bypass in OpenClaw Allows Arbitrary File Access

Publication date: 2026-04-20

Last updated on: 2026-04-28

Assigner: VulnCheck

Description
OpenClaw versions 2026.4.7 before 2026.4.15 fail to enforce local-root containment on tool-result media paths, allowing arbitrary local and UNC file access. Attackers can craft malicious tool-result media references to trigger host-side file reads or Windows network path access, potentially disclosing sensitive files or exposing credentials.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-28
Generated
2026-06-16
AI Q&A
2026-04-20
EPSS Evaluated
2026-06-14
NVD
CVE-2026-41389
EUVD
EUVD-2026-23931
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw From 2026.4.7 (inc) to 2026.4.15 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41389 is a security vulnerability in OpenClaw versions 2026.4.7 before 2026.4.15 that affects the webchat media embedding functionality. The issue arises because the system fails to enforce local-root containment on tool-result media paths, allowing attackers to craft malicious media references that trigger unauthorized local file reads or access to Windows network (UNC) paths.

Specifically, the vulnerability allows embedding of unsafe remote-host file:// URLs and local audio files outside of explicitly allowed directories, which can lead to unauthorized file access or disclosure of sensitive information.

The fix involves rejecting remote-host file:// URLs, enforcing strict local filesystem path containment for embedded audio files within configured safe directories (localRoots), and tightening the handling of trusted tool media passthrough by requiring exact raw tool name matching to prevent unauthorized tools from inheriting local media trust.

Impact Analysis

This vulnerability can impact you by allowing attackers to access arbitrary local files on the host system or Windows network paths through crafted media references in OpenClaw webchat messages.

Such unauthorized access can lead to disclosure of sensitive files or exposure of network credentials, especially on Windows deployments where UNC paths are accessible.

Because the vulnerability triggers host-side file reads before any rendered result is shown, attackers can potentially extract confidential information without user interaction.

Detection Guidance

This vulnerability involves unsafe handling of local and UNC file paths in OpenClaw webchat media embedding, allowing unauthorized local file reads or Windows network path access. Detection involves monitoring for suspicious media embedding attempts that include remote-host file:// URLs or UNC paths.

Since the vulnerability manifests as host-side file read operations triggered by crafted tool-result media references, detection can focus on identifying such suspicious media URLs or abnormal file access attempts in logs or during runtime.

Specific commands are not provided in the available resources. However, you can monitor filesystem access logs or audit logs for unexpected reads of local or UNC paths initiated by OpenClaw processes. Additionally, inspecting webchat media payloads for embedded media URLs starting with remote-host file:// or UNC paths may help detect exploitation attempts.

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade OpenClaw to version 2026.4.15 or later, where the vulnerability is fixed.

  • The fix rejects remote-host file:// URLs in media embedding paths, preventing unsafe remote file access.
  • It enforces strict local filesystem path containment by allowing only media files within explicitly configured localRoots directories to be embedded.
  • The fix also prevents client tools from improperly inheriting local media trust by enforcing exact raw tool name matching and rejecting conflicting client tool names.

Additionally, ensure that your configuration properly defines localRoots directories to restrict media embedding to safe paths, and monitor for any rejected media embedding attempts as part of your security posture.

Compliance Impact

The vulnerability in OpenClaw allows unauthorized local and UNC file access, potentially disclosing sensitive files or exposing credentials on affected systems.

Such unauthorized disclosure of sensitive files or credentials can lead to violations of data protection regulations and standards like GDPR and HIPAA, which mandate strict controls over the confidentiality and integrity of personal and sensitive data.

By enabling attackers to access files outside intended containment paths, the vulnerability risks exposing protected information, thereby undermining compliance with these regulations.

The fixes introduced enforce strict local-root containment and reject unsafe media URLs, which help mitigate these risks and support compliance efforts by preventing unauthorized data exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41389. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart