CVE-2026-25475

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.1.30

Description OpenClaw is a personal AI assistant. The isValidMedia() function in src/media/parse.ts allows arbitrary file paths, including absolute paths, home directory paths, and directory traversal sequences. An agent can read any file on the system by outputting MEDIA: followed by a file path, potentially exfiltrating sensitive data to a user or channel. The issue involves the use of the isValidMedia() function and the handling of file paths.

Recommendations Update to version 2026.1.30 or later.

Exploit

Fix

Information Disclosure

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-22

Related Identifiers

CVE-2026-25475

GHSA-R8G4-86FX-92MQ

Affected Products

Openclaw

CVE-2026-25475

Weakness Enumeration

Related Identifiers

Affected Products

References · 12