Listen to this Post
The vulnerability resides in OpenClaw’s outbound host‑media attachment read helper (src/outbound/media.ts and src/policy/tools.ts).
1. Policy mismatch – The system enforces tool access via global/agent‑level rules, plus per‑sender or per‑group overrides (toolsBySender, groups..tools.deny).
2. Bypass trigger – A denied sender sends a message that references a host‑local file through the `host‑media` attachment mechanism (e.g., a `file://` path).
3. Flawed helper – The helper loads the media based solely on global/agent permissions, ignoring the sender/group context that would normally block `read` actions.
4. Outbound delivery – The file is read, base64‑encoded, and returned as an outbound attachment (image/audio/video) to the sender.
5. Impact – Arbitrary host files readable by the OpenClaw process can be disclosed to untrusted channel participants.
DailyCVE Form
Platform: npm / OpenClaw
Version: >=2026.4.9 <2026.4.10
Vulnerability: Sender policy bypass
Severity: Medium
Date: 2026‑04‑17
Prediction: Fixed in 2026.4.10 (already patched)
What Undercode Say: Analytics
Count affected deployments (Censys query example) $ censys search 'services.http.response.body:"openclaw" and services.http.response.body:"2026.4.9"' | wc -l Find hosts with risky global read enabled $ grep -r "read.true" ~/.openclaw/config.json | wc -l
Log analysis
Look for outbound media reads from senders who lack `read` permission:
$ grep -E "outbound-media.senderId=[^ ]+.policy=deny" /var/log/openclaw/audit.log
How Exploit
- Identify a channel where `toolsBySender` or a group policy denies `read` for your sender ID.
- Craft a message containing a reference to a sensitive local file (e.g., `file:///etc/passwd` or
file:///home/user/.ssh/id_rsa). - Send the message – the outbound helper fetches the file and returns its content as a media attachment.
Example payload (Telegram / Slack):
@bot /media file:///etc/passwd
The bot replies with the file content embedded in an image/audio/video message.
Protection from this CVE
- Upgrade to OpenClaw `2026.4.10` or newer (includes commit
c949af9fabf3873b5b7c484090cb5f5ab6049a98). - Mitigation (if upgrade impossible):
- Disable global/agent‑level `read` for all channels, or
- Restrict `host-media` attachment capability via `tools.deny: [“readFile”]` in global policy.
- Audit existing policies: ensure `toolsBySender` and group denials are actually enforced (test with a controlled sender).
- Monitor logs for outbound media access from unexpected senders.
Impact
- Confidentiality – Local files readable by the OpenClaw process (configuration, SSH keys, database credentials) can be exfiltrated.
- Policy violation – Bypasses intended sender/group restrictions, undermining least‑privilege design.
- Lateral movement – Exposed credentials may enable further attacks on the host or internal network.
- Compliance – Unauthorized data access may violate GDPR, HIPAA, or other data protection regulations.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

