OpenClaw: Webchat audio embedding could read local files without local-root containment

Description

Impact

OpenClaw deployments before 2026.4.15 could embed host-local audio files into webchat responses without applying the local media root containment check used by other media-serving paths.

If an attacker could influence an agent or tool-produced ReplyPayload.mediaUrl, the webchat audio embedding helper could resolve an absolute local path or file: URL, read an audio-like file under the size cap, and base64-encode it into the webchat media response. This crossed the model/tool-output boundary into a host file read. Prompt injection or malicious tool output is a delivery mechanism; the security boundary failure is the missing local-root containment check.

The impact is narrow: the file had to be readable by the gateway process, have an audio-like extension, and fit within the webchat audio size cap. The issue exposed contents into the webchat assistant/media transcript path; it was not a general remote filesystem API.

Affected Packages / Versions

  • Package: openclaw on npm
  • Affected versions: <= 2026.4.14
  • Patched version: 2026.4.15

The latest public release, 2026.4.21, also contains the fix.

Patches

The public fix threads the applicable local media roots into the webchat audio embedding path and calls assertLocalMediaAllowed before local audio content is read. Current main also includes an additional trustedLocalMedia gate so untrusted model/tool payloads cannot opt into local audio embedding.

Fix commit:

  • 6e58f1f9f54bca1fea1268ec0ee4c01a2af03dde

Workarounds

Upgrade to [email protected] or later. The latest public release, 2026.4.21, is fixed. Before upgrading, avoid exposing webchat sessions to untrusted prompt/tool content that can influence reply media URLs.

Credits

OpenClaw thanks @zsxsoft for reporting.

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-04-29 21:34:39 UTC
Updated
2026-05-29 03:47:43 UTC
GitHub reviewed
2026-04-29 21:34:39 UTC

CVSS Scores

Base score Version Severity Vector
6.0 4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:P)
Additional preconditions must be present for exploitation.
Privileges required (PR:L)
Low privileges are required.
User interaction (UI:N)
No user interaction is required.
Vulnerable system confidentiality impact (VC:L)
Limited confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:H)
High integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:N)
No availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:N)
No confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:N)
No integrity impact on subsequent systems.
Subsequent system availability impact (SA:N)
No availability impact on subsequent systems.

Identifiers

Type Value
GHSA GHSA-gfg9-5357-hv4c ↗

CWEs

CWE id Name
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Credits

  • zsxsoft (reporter)
  • KeenSecurityLab (sponsor)
  • qclawer (sponsor)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
npm openclaw <= 2026.4.14 2026.4.15

References

cvelogic Threat Intelligence