CVE-2026-44996 Overview
CVE-2026-44996 is an arbitrary local file read vulnerability in OpenClaw before version 2026.4.15. The flaw resides in the webchat audio embedding helper, which fails to apply local media root containment checks. Attackers can influence agent or tool-produced ReplyPayload.mediaUrl parameters to resolve absolute local paths or file:// URLs. The handler then reads audio-like files and embeds them base64-encoded into webchat responses. This weakness is tracked under CWE-22 (Path Traversal) and impacts deployments running OpenClaw on Node.js.
Critical Impact
Network-reachable attackers can coerce the OpenClaw gateway into reading arbitrary local files that match audio filename patterns and exfiltrate their contents through base64-encoded webchat replies.
Affected Products
- OpenClaw versions prior to 2026.4.15
- OpenClaw running on Node.js runtime environments
- Deployments exposing the webchat gateway with agent or tool-produced reply payloads
Discovery Timeline
- 2026-05-11 - CVE-2026-44996 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44996
Vulnerability Analysis
The vulnerability exists in OpenClaw's webchat audio embedding pipeline, located in src/gateway/server-methods/chat-webchat-media.ts and src/gateway/server-methods/chat.ts. When an agent or plugin returns a ReplyPayload containing a mediaUrl field, the gateway resolves that value to a local filesystem path or file:// URL. The handler invokes isAudioFileName to confirm the path looks like an audio asset, then reads the file and base64-encodes its bytes into the outbound webchat reply.
The handler does not constrain resolution to the configured agent-scoped local media roots. Any path the Node.js process can read becomes accessible, provided the filename ends with a recognized audio extension. Files matching this pattern, such as configuration backups, log archives, or session artifacts named with audio extensions, are returned to the requesting webchat client.
Root Cause
The root cause is missing containment validation in the media resolution helper. Before the patch, the code path imported isAudioFileName and resolved URLs without consulting an allow-list of permitted root directories. The fix introduces assertLocalMediaAllowed and getAgentScopedMediaLocalRoots to enforce that resolved paths fall within explicitly permitted directories.
Attack Vector
An attacker capable of influencing the content of a ReplyPayload.mediaUrl field, including through prompt injection of an underlying language model, tool output manipulation, or compromised plugin responses, supplies an absolute path or file:// URL targeting a sensitive file. The webchat handler resolves the path, reads the file, and embeds its base64-encoded contents in the response. No authentication is required if the webchat endpoint is publicly reachable.
// Patch excerpt from src/gateway/server-methods/chat-webchat-media.ts
import path from "node:path";
import { fileURLToPath } from "node:url";
import type { ReplyPayload } from "../../auto-reply/reply-payload.js";
+import { assertLocalMediaAllowed, LocalMediaAccessError } from "../../media/local-media-access.js";
import { isAudioFileName } from "../../media/mime.js";
import { resolveSendableOutboundReplyParts } from "../../plugin-sdk/reply-payload.js";
import { normalizeLowercaseStringOrEmpty } from "../../shared/string-coerce.js";
Source: OpenClaw security commit 6e58f1f
// Patch excerpt from src/gateway/server-methods/chat.ts
import { extractCanvasFromText } from "../../chat/canvas-render.js";
import { resolveSessionFilePath } from "../../config/sessions.js";
import { jsonUtf8Bytes } from "../../infra/json-utf8-bytes.js";
+import { getAgentScopedMediaLocalRoots } from "../../media/local-roots.js";
import { isAudioFileName } from "../../media/mime.js";
import type { PromptImageOrderEntry } from "../../media/prompt-image-order.js";
import { type SavedMedia, saveMediaBuffer } from "../../media/store.js";
Source: OpenClaw security commit 6e58f1f
Detection Methods for CVE-2026-44996
Indicators of Compromise
- Webchat reply payloads containing mediaUrl values starting with file:// or absolute filesystem paths such as /etc/, /var/, or C:\\
- Outbound webchat responses with large base64-encoded audio blobs that do not correspond to any user-uploaded media
- OpenClaw gateway log entries showing isAudioFileName checks succeeding for paths outside the configured media store
Detection Strategies
- Inspect HTTP responses from the OpenClaw webchat endpoint for base64 audio payloads referencing non-media file extensions disguised with .wav, .mp3, or similar suffixes
- Audit agent and plugin output for ReplyPayload.mediaUrl fields that contain path traversal sequences or absolute paths
- Correlate language model prompt logs with subsequent file read operations performed by the Node.js process
Monitoring Recommendations
- Enable filesystem auditing on the host running the OpenClaw gateway to flag reads outside the documented media root directories
- Forward gateway access logs to a central log analytics or SIEM platform and alert on payloads exceeding expected audio attachment size baselines
- Track outbound reply sizes per session and investigate anomalies that suggest large file disclosure
How to Mitigate CVE-2026-44996
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.15 or later, which includes commit 6e58f1f9f54bca1fea1268ec0ee4c01a2af03dde
- Restrict network exposure of the webchat gateway to trusted clients until the patch is applied
- Review and constrain the operating system permissions of the Node.js process running OpenClaw to limit reachable files
Patch Information
The fix is published in the OpenClaw GitHub Security Advisory GHSA-gfg9-5357-hv4c and delivered in commit 6e58f1f9f54bca1fea1268ec0ee4c01a2af03dde. The patch introduces assertLocalMediaAllowed and getAgentScopedMediaLocalRoots helpers and invokes them before any local file is read for audio embedding. Additional context is available in the VulnCheck advisory.
Workarounds
- Run the OpenClaw gateway under a dedicated low-privilege user with read access limited to the intended media directory
- Deploy a reverse proxy or web application firewall rule that strips or rejects ReplyPayload.mediaUrl values containing file:// schemes or absolute paths
- Disable agent or plugin features that produce mediaUrl values until the upgrade can be completed
# Verify the installed OpenClaw version is patched
npm ls openclaw
# Upgrade to a fixed release
npm install openclaw@>=2026.4.15
# Run the gateway as a restricted user with limited filesystem access
useradd -r -s /usr/sbin/nologin openclaw
chown -R openclaw:openclaw /opt/openclaw/media
sudo -u openclaw node /opt/openclaw/dist/server.js
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
