PT-2026-35554 · Openclaw · Openclaw
Tdjackey
·
Published
2026-04-27
·
Updated
2026-04-28
·
CVE-2026-41366
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
OpenClaw versions prior to 2026.3.31
Description
A local roots self-whitelisting issue exists in the
appendLocalMediaParentRoots() function. This flaw allows for model-initiated arbitrary host file read due to improper validation of the media parent directory, which could enable attackers to exfiltrate credentials and access sensitive files.Recommendations
Update to version 2026.3.31 or later.
As a temporary workaround, restrict access to the
appendLocalMediaParentRoots() function to minimize the risk of exploitation.Fix
LPE
Incorrect Permission
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw