CVE-2026-41366

CVSS v3.1

5.5

Medium

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

OpenClaw before 2026.3.31 contains a local roots self-whitelisting vulnerability in appendLocalMediaParentRoots that allows model-initiated arbitrary host file read. Attackers can exploit improper media parent directory validation to exfiltrate credentials and access sensitive files.

Fix

Incorrect Permission

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-732

Related Identifiers

CVE-2026-41366

Affected Products

Openclaw

CVE-2026-41366

Weakness Enumeration

Related Identifiers

Affected Products

References · 4