CVE-2026-29611

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.14

Description The BlueBubbles extension in OpenClaw contains a local file inclusion issue in how media paths are handled. This allows attackers to read arbitrary files from the local filesystem. The sendBlueBubblesMedia function does not validate the mediaPath parameters against an allowlist, enabling attackers to request sensitive files and exfiltrate them as media attachments. The issue occurs when processing non-HTTP media sources, where the software resolves the path to a local file and reads it directly from disk without proper validation.

Recommendations Upgrade to version 2026.2.14 or later. Configure channels.bluebubbles.mediaLocalRoots to explicit trusted directories.