The BlueBubbles extension accepted attacker-controlled local filesystem paths via mediaPath and could read arbitrary local files from disk before sending them as media attachments.

When sendBlueBubblesMedia received a non-HTTP media source, the previous implementation resolved it to a local path and read it directly from disk. There was no required allowlist of safe directories, so values like /etc/passwd (or equivalent sensitive paths on other platforms) could be requested and exfiltrated.

The fix hardens local media loading by requiring explicit configured roots (channels.bluebubbles.mediaLocalRoots) and by enforcing canonical-path containment checks before reading local files. Paths outside allowed roots are rejected.

Fix PR: https://github.com/openclaw/openclaw/pull/16322 Fix commit: https://github.com/openclaw/openclaw/commit/71f357d9498cebb0efe016b0496d5fbe807539fc

An attacker able to trigger BlueBubbles media sends could exfiltrate local files accessible to the OpenClaw process.

Upgrade to a release that includes commit 71f357d9498cebb0efe016b0496d5fbe807539fc and configure channels.bluebubbles.mediaLocalRoots to explicit trusted directories.