Feiyang666

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.4.10 **Description** An arbitrary file read issue exists in QQBot media tags. Attackers can craft malicious reply text containing media tags to reference host-local paths outside the intended media storage boundary, leading to the disclosure of arbitrary local files through outbound media handling. **Recommendations** Update to version 2026.4.10 or newer.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.4.10 **Description** An insufficient environment variable denylist in the exec environment policy allows operator-supplied overrides of high-risk interpreter startup variables. Specifically, the variables `VIMINIT`, `EXINIT`, `LUA INIT`, and `HOSTALIASES` can be manipulated to influence downstream execution behavior or network connectivity. **Recommendations** Update to version 2026.4.10.