CVE-2026-42438 Overview
CVE-2026-42438 is a sender policy bypass vulnerability in OpenClaw versions 2026.4.9 before 2026.4.10. The flaw resides in the outbound host-media attachment read helper, which fails to honor sender-scoped and group-scoped authorization boundaries. Attackers with denied read access through toolsBySender or group policy can trigger host-media attachment loading and retrieve readable local files via the outbound media path. The issue is classified under CWE-863: Incorrect Authorization and results in unauthorized local file disclosure across authorization scopes.
Critical Impact
Authenticated low-privileged attackers can bypass sender and group policy controls to read local files that should be inaccessible, breaking tenant and per-sender authorization boundaries in OpenClaw deployments.
Affected Products
- OpenClaw 2026.4.9 (Node.js distribution)
- OpenClaw releases prior to 2026.4.10
- Deployments relying on toolsBySender or group-scoped policy enforcement
Discovery Timeline
- 2026-05-05 - CVE-2026-42438 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-42438
Vulnerability Analysis
The vulnerability stems from missing authorization context in OpenClaw's outbound host-media attachment loader. When the auto-reply pipeline dispatches an attachment read, the helper does not propagate the requester's senderId or accountId into the policy check. The downstream media reader therefore evaluates access without the correct subject identity. As a result, sender-scoped denial rules configured via toolsBySender and group policy do not take effect for host-media reads.
An attacker who has been explicitly denied read access can still trigger an attachment load that reads readable local files on the host. The data is then returned through the outbound media path back to the requester, exposing file contents that the policy engine intended to block.
Root Cause
The root cause is incorrect authorization [CWE-863]. The host-media attachment read helper was invoked without the requester's identity, leaving the policy decision point with insufficient context to enforce sender or group restrictions. The fix in commit c949af9 adds requesterSenderId and requesterAccountId parameters into the call sites that previously omitted them.
Attack Vector
Exploitation requires network access and low privileges, with no user interaction. An attacker invokes a command path that triggers host-media attachment loading and references a local file the policy engine would otherwise deny. Because the read helper bypasses the sender policy, the file content is returned through the outbound media response.
// Patch: src/auto-reply/reply/commands-reset-hooks.ts
// fix(media): honor sender policy for host media reads (#64459)
to,
sessionKey: params.sessionKey,
accountId: params.ctx.AccountId,
+ requesterSenderId: params.command.senderId,
threadId: params.ctx.MessageThreadId,
cfg: params.cfg,
});
// Patch: src/auto-reply/reply/dispatch-acp-delivery.ts
// fix(media): honor sender policy for host media reads (#64459)
message,
},
sessionKey: params.ctx.SessionKey,
+ requesterAccountId: params.ctx.AccountId,
});
state.routedCounts.tool += 1;
return true;
Source: GitHub commit c949af9. The patch threads the requester identity into the host-media read path so the policy engine can correctly evaluate sender and group rules.
Detection Methods for CVE-2026-42438
Indicators of Compromise
- Auto-reply log entries showing host-media attachment reads triggered by senders denied via toolsBySender policy.
- Outbound media responses containing local file paths or contents that originate outside the configured attachment scope.
- Unexpected file system reads from the OpenClaw process for paths outside the standard media directory.
Detection Strategies
- Audit OpenClaw application logs for attachment reads where the resolved subject lacks requesterSenderId or requesterAccountId context.
- Correlate auto-reply command invocations against per-sender deny lists to identify policy-bypassing reads.
- Monitor for command IDs handled by commands-reset-hooks.ts and dispatch-acp-delivery.ts that produce media payloads despite a denied policy decision.
Monitoring Recommendations
- Enable verbose logging on the OpenClaw outbound media path and forward events to a centralized log platform.
- Alert on file read operations targeting paths outside the expected attachment directory.
- Track the installed OpenClaw version across hosts to confirm all instances are at 2026.4.10 or later.
How to Mitigate CVE-2026-42438
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.10 or later, which includes the patch from commit c949af9.
- Inventory all OpenClaw deployments and verify the installed version against the fixed release.
- Review toolsBySender and group policy configurations to confirm intended deny rules are in place.
Patch Information
The vendor released the fix in commit c949af9fabf3873b5b7c484090cb5f5ab6049a98 and published the GHSA-jhpv-5j76-m56h advisory. Additional analysis is available in the VulnCheck advisory on the OpenClaw sender policy bypass.
Workarounds
- Disable host-media attachment handling in auto-reply commands until the patched version is deployed.
- Restrict OpenClaw process file system permissions so it cannot read sensitive local files outside the intended media directory.
- Limit network access to OpenClaw endpoints to trusted senders while patching is rolled out.
# Upgrade OpenClaw to the patched release
npm install openclaw@2026.4.10
# Verify the installed version
npm ls openclaw
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
