OpenClaw, Shared Reply MEDIA Path Trust, (Moderate)

Listen to this Post

The vulnerability resides in OpenClaw’s shared reply mechanism for `MEDIA:` references. When a user shares a media file via a reply, the system extracts the file path from the `MEDIA:` token and treats it as trusted generated media, without proper source-level validation. An attacker can craft a shared reply that contains a `MEDIA:` reference pointing to a local file path (e.g., MEDIA:/etc/passwd). Because the path is assumed to be trusted generated media, the system does not apply the usual cross-channel isolation checks. As a result, the referenced local file is read and then unintentionally delivered to another channel (cross‑channel exfiltration). This bypasses the intended per‑channel sandbox and allows an attacker to read arbitrary files from the host filesystem. The issue exists because the path validation logic does not distinguish between user‑supplied paths and internally generated media paths. The vulnerability affects all versions up to and including 2026.4.4. The fix, available in version 2026.4.8, introduces strict validation of `MEDIA:` paths during shared reply processing, ensuring that only paths generated by the system are treated as trusted. The patch also enforces cross‑channel isolation by validating the channel context before processing any `MEDIA:` reference.

Platform: OpenClaw (npm)
Version: <=2026.4.4
Vulnerability: Cross‑channel local exfiltration
Severity: Moderate
date: 2026-04-09
Prediction: Patch 2026.04.08

What Undercode Say:

Check your OpenClaw version
npm list openclaw
Upgrade to the patched version
npm install [email protected]
Verify the fix (commit d7c3210cd6f5fdfdc1beff4c9541673e814354d5)
git fetch origin && git diff d7c3210cd6f5fdfdc1beff4c9541673e814354d5^..d7c3210cd6f5fdfdc1beff4c9541673e814354d5
Simulate a malicious shared reply (for testing only)
echo "Check this file: MEDIA:/etc/passwd" | openclaw message send --channel victim --reply

Exploit:

An attacker in one channel sends a message that triggers a shared reply containing a `MEDIA:` token with a path to a sensitive local file (e.g., MEDIA:/etc/passwd). The vulnerable OpenClaw version treats the path as trusted generated media, reads the file, and sends its content to another channel where the attacker can access it. This works even if the attacker has no direct access to the target channel, effectively allowing cross‑channel data theft.

Protection from this CVE

Upgrade to OpenClaw version 2026.4.8 immediately. If an immediate upgrade is not possible, disable shared replies or restrict the `MEDIA:` handler to only accept paths that are explicitly generated by the system. Review the `mediaLocalRoots` configuration to limit which local directories are accessible. Monitor logs for unexpected `MEDIA:` references that point to sensitive files.

Impact:

Arbitrary local file read across channel boundaries. An attacker can exfiltrate configuration files, credentials, SSH keys, and other sensitive data stored on the host filesystem. The vulnerability bypasses per‑channel sandboxing and can lead to full compromise of the OpenClaw instance and the underlying host.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top