CVE-2026-41389 MEDIUM

CVE-2026-41389: OpenClaw 2026.4.7 < 2026.4.15 - Arbitrary File Read via Unvalidated Tool-Result Media Paths

Vendor Openclaw
Product OpenClaw
Weakness CWE-73
Published April 20, 2026
Last update April 20, 2026

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

What the vulnerability does

01Description

OpenClaw versions 2026.4.7 before 2026.4.15 fail to enforce local-root containment on tool-result media paths, allowing arbitrary local and UNC file access. Attackers can craft malicious tool-result media references to trigger host-side file reads or Windows network path access, potentially disclosing sensitive files or exposing credentials.

Key dates

02Disclosure timeline

April 20, 2026 CVE published
April 20, 2026 Record updated