CVE-2026-42438

Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.4.9 through 2026.4.9

Description A sender policy bypass exists in the outbound host-media attachment read helper. This issue allows unauthorized local file disclosure when deployments allow host read or filesystem root expansion at the global or agent level but rely on sender or group-scoped policy to deny read access for certain participants. Attackers with denied read access via toolsBySender or group policy can trigger host-media attachment loading to bypass authorization boundaries and retrieve readable local files through the outbound media path.

Recommendations Update to version 2026.4.10.