OpenClaw (npm), Sender Policy Bypass, GHSA‑jhpv‑5j76‑m56h (Medium)

Listen to this Post

The vulnerability resides in OpenClaw’s outbound host‑media attachment read helper (src/outbound/media.ts and src/policy/tools.ts).
1. Policy mismatch – The system enforces tool access via global/agent‑level rules, plus per‑sender or per‑group overrides (toolsBySender, groups..tools.deny).
2. Bypass trigger – A denied sender sends a message that references a host‑local file through the `host‑media` attachment mechanism (e.g., a `file://` path).
3. Flawed helper – The helper loads the media based solely on global/agent permissions, ignoring the sender/group context that would normally block `read` actions.
4. Outbound delivery – The file is read, base64‑encoded, and returned as an outbound attachment (image/audio/video) to the sender.
5. Impact – Arbitrary host files readable by the OpenClaw process can be disclosed to untrusted channel participants.

DailyCVE Form

Platform: npm / OpenClaw
Version: >=2026.4.9 <2026.4.10
Vulnerability: Sender policy bypass
Severity: Medium
Date: 2026‑04‑17

Prediction: Fixed in 2026.4.10 (already patched)

What Undercode Say: Analytics

Count affected deployments (Censys query example)
$ censys search 'services.http.response.body:"openclaw" and services.http.response.body:"2026.4.9"' | wc -l
Find hosts with risky global read enabled
$ grep -r "read.true" ~/.openclaw/config.json | wc -l

Log analysis

Look for outbound media reads from senders who lack `read` permission:

$ grep -E "outbound-media.senderId=[^ ]+.policy=deny" /var/log/openclaw/audit.log

How Exploit

  1. Identify a channel where `toolsBySender` or a group policy denies `read` for your sender ID.
  2. Craft a message containing a reference to a sensitive local file (e.g., `file:///etc/passwd` or file:///home/user/.ssh/id_rsa).
  3. Send the message – the outbound helper fetches the file and returns its content as a media attachment.

Example payload (Telegram / Slack):

@bot /media file:///etc/passwd

The bot replies with the file content embedded in an image/audio/video message.

Protection from this CVE

  • Upgrade to OpenClaw `2026.4.10` or newer (includes commit c949af9fabf3873b5b7c484090cb5f5ab6049a98).
  • Mitigation (if upgrade impossible):
  • Disable global/agent‑level `read` for all channels, or
  • Restrict `host-media` attachment capability via `tools.deny: [“readFile”]` in global policy.
  • Audit existing policies: ensure `toolsBySender` and group denials are actually enforced (test with a controlled sender).
  • Monitor logs for outbound media access from unexpected senders.

Impact

  • Confidentiality – Local files readable by the OpenClaw process (configuration, SSH keys, database credentials) can be exfiltrated.
  • Policy violation – Bypasses intended sender/group restrictions, undermining least‑privilege design.
  • Lateral movement – Exposed credentials may enable further attacks on the host or internal network.
  • Compliance – Unauthorized data access may violate GDPR, HIPAA, or other data protection regulations.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top