CVE-2026-42438
Undergoing Analysis Undergoing Analysis - In Progress
OpenClaw Sender Policy Bypass Allows Local File Disclosure

Publication date: 2026-05-05

Last updated on: 2026-05-07

Assigner: VulnCheck

Description
OpenClaw versions 2026.4.9 before 2026.4.10 contain a sender policy bypass vulnerability in the outbound host-media attachment read helper that allows unauthorized local file disclosure. Attackers with denied read access via toolsBySender or group policy can trigger host-media attachment loading to bypass sender and group-scoped authorization boundaries and retrieve readable local files through the outbound media path.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-42438
EUVD
EUVD-2026-27259
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw 2026.4.9
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how the sender policy bypass vulnerability in OpenClaw affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

OpenClaw versions 2026.4.9 before 2026.4.10 contain a sender policy bypass vulnerability in the outbound host-media attachment read helper. This flaw allows attackers who have restricted read access via toolsBySender or group policy to bypass sender and group-scoped authorization boundaries.

By triggering host-media attachment loading, these attackers can retrieve readable local files through the outbound media path, leading to unauthorized local file disclosure.

The vulnerability is classified under CWE-863 (Incorrect Authorization) and was fixed in version 2026.4.10.

Impact Analysis

This vulnerability can allow an attacker with limited read permissions to bypass sender and group policy restrictions and access local files that should be protected.

Such unauthorized local file disclosure can lead to exposure of sensitive or confidential information stored on the affected system.

Because the attacker can retrieve files through the outbound media path, this could result in data leakage outside the intended security boundaries.

Mitigation Strategies

To mitigate this vulnerability, you should immediately update OpenClaw to version 2026.4.10 or later, where the issue has been fixed.

The fix ensures proper enforcement of sender identity and policy during outbound host-media attachment reads, preventing unauthorized local file disclosure.

Applying this patch will close the sender policy bypass and restore correct authorization boundaries.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42438. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart