Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-44996

CVE-2026-44996: Openclaw Path Traversal Vulnerability

CVE-2026-44996 is a path traversal vulnerability in Openclaw that allows attackers to read arbitrary local files through webchat audio embedding. This article covers technical details, affected versions, and mitigation strategies.

Published:

CVE-2026-44996 Overview

CVE-2026-44996 is an arbitrary local file read vulnerability in OpenClaw before version 2026.4.15. The flaw resides in the webchat audio embedding helper, which fails to apply local media root containment checks. Attackers can influence agent or tool-produced ReplyPayload.mediaUrl parameters to resolve absolute local paths or file:// URLs. The handler then reads audio-like files and embeds them base64-encoded into webchat responses. This weakness is tracked under CWE-22 (Path Traversal) and impacts deployments running OpenClaw on Node.js.

Critical Impact

Network-reachable attackers can coerce the OpenClaw gateway into reading arbitrary local files that match audio filename patterns and exfiltrate their contents through base64-encoded webchat replies.

Affected Products

  • OpenClaw versions prior to 2026.4.15
  • OpenClaw running on Node.js runtime environments
  • Deployments exposing the webchat gateway with agent or tool-produced reply payloads

Discovery Timeline

  • 2026-05-11 - CVE-2026-44996 published to NVD
  • 2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-44996

Vulnerability Analysis

The vulnerability exists in OpenClaw's webchat audio embedding pipeline, located in src/gateway/server-methods/chat-webchat-media.ts and src/gateway/server-methods/chat.ts. When an agent or plugin returns a ReplyPayload containing a mediaUrl field, the gateway resolves that value to a local filesystem path or file:// URL. The handler invokes isAudioFileName to confirm the path looks like an audio asset, then reads the file and base64-encodes its bytes into the outbound webchat reply.

The handler does not constrain resolution to the configured agent-scoped local media roots. Any path the Node.js process can read becomes accessible, provided the filename ends with a recognized audio extension. Files matching this pattern, such as configuration backups, log archives, or session artifacts named with audio extensions, are returned to the requesting webchat client.

Root Cause

The root cause is missing containment validation in the media resolution helper. Before the patch, the code path imported isAudioFileName and resolved URLs without consulting an allow-list of permitted root directories. The fix introduces assertLocalMediaAllowed and getAgentScopedMediaLocalRoots to enforce that resolved paths fall within explicitly permitted directories.

Attack Vector

An attacker capable of influencing the content of a ReplyPayload.mediaUrl field, including through prompt injection of an underlying language model, tool output manipulation, or compromised plugin responses, supplies an absolute path or file:// URL targeting a sensitive file. The webchat handler resolves the path, reads the file, and embeds its base64-encoded contents in the response. No authentication is required if the webchat endpoint is publicly reachable.

typescript
// Patch excerpt from src/gateway/server-methods/chat-webchat-media.ts
 import path from "node:path";
 import { fileURLToPath } from "node:url";
 import type { ReplyPayload } from "../../auto-reply/reply-payload.js";
+import { assertLocalMediaAllowed, LocalMediaAccessError } from "../../media/local-media-access.js";
 import { isAudioFileName } from "../../media/mime.js";
 import { resolveSendableOutboundReplyParts } from "../../plugin-sdk/reply-payload.js";
 import { normalizeLowercaseStringOrEmpty } from "../../shared/string-coerce.js";

Source: OpenClaw security commit 6e58f1f

typescript
// Patch excerpt from src/gateway/server-methods/chat.ts
 import { extractCanvasFromText } from "../../chat/canvas-render.js";
 import { resolveSessionFilePath } from "../../config/sessions.js";
 import { jsonUtf8Bytes } from "../../infra/json-utf8-bytes.js";
+import { getAgentScopedMediaLocalRoots } from "../../media/local-roots.js";
 import { isAudioFileName } from "../../media/mime.js";
 import type { PromptImageOrderEntry } from "../../media/prompt-image-order.js";
 import { type SavedMedia, saveMediaBuffer } from "../../media/store.js";

Source: OpenClaw security commit 6e58f1f

Detection Methods for CVE-2026-44996

Indicators of Compromise

  • Webchat reply payloads containing mediaUrl values starting with file:// or absolute filesystem paths such as /etc/, /var/, or C:\\
  • Outbound webchat responses with large base64-encoded audio blobs that do not correspond to any user-uploaded media
  • OpenClaw gateway log entries showing isAudioFileName checks succeeding for paths outside the configured media store

Detection Strategies

  • Inspect HTTP responses from the OpenClaw webchat endpoint for base64 audio payloads referencing non-media file extensions disguised with .wav, .mp3, or similar suffixes
  • Audit agent and plugin output for ReplyPayload.mediaUrl fields that contain path traversal sequences or absolute paths
  • Correlate language model prompt logs with subsequent file read operations performed by the Node.js process

Monitoring Recommendations

  • Enable filesystem auditing on the host running the OpenClaw gateway to flag reads outside the documented media root directories
  • Forward gateway access logs to a central log analytics or SIEM platform and alert on payloads exceeding expected audio attachment size baselines
  • Track outbound reply sizes per session and investigate anomalies that suggest large file disclosure

How to Mitigate CVE-2026-44996

Immediate Actions Required

  • Upgrade OpenClaw to version 2026.4.15 or later, which includes commit 6e58f1f9f54bca1fea1268ec0ee4c01a2af03dde
  • Restrict network exposure of the webchat gateway to trusted clients until the patch is applied
  • Review and constrain the operating system permissions of the Node.js process running OpenClaw to limit reachable files

Patch Information

The fix is published in the OpenClaw GitHub Security Advisory GHSA-gfg9-5357-hv4c and delivered in commit 6e58f1f9f54bca1fea1268ec0ee4c01a2af03dde. The patch introduces assertLocalMediaAllowed and getAgentScopedMediaLocalRoots helpers and invokes them before any local file is read for audio embedding. Additional context is available in the VulnCheck advisory.

Workarounds

  • Run the OpenClaw gateway under a dedicated low-privilege user with read access limited to the intended media directory
  • Deploy a reverse proxy or web application firewall rule that strips or rejects ReplyPayload.mediaUrl values containing file:// schemes or absolute paths
  • Disable agent or plugin features that produce mediaUrl values until the upgrade can be completed
bash
# Verify the installed OpenClaw version is patched
npm ls openclaw

# Upgrade to a fixed release
npm install openclaw@>=2026.4.15

# Run the gateway as a restricted user with limited filesystem access
useradd -r -s /usr/sbin/nologin openclaw
chown -R openclaw:openclaw /opt/openclaw/media
sudo -u openclaw node /opt/openclaw/dist/server.js

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.