CVE-2026-29611

HIGH

OpenClaw <2026.2.14 - Path Traversal

Title source: llm

Description

OpenClaw versions prior to 2026.2.14 contain a local file inclusion vulnerability in BlueBubbles extension (must be installed and enabled) media path handling that allows attackers to read arbitrary files from the local filesystem. The sendBlueBubblesMedia function fails to validate mediaPath parameters against an allowlist, enabling attackers to request sensitive files like /etc/passwd and exfiltrate them as media attachments.

References (3)

[Vendor Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-rwj8-p9vq-25gv

[Patch] https://github.com/openclaw/openclaw/commit/71f357d9498cebb0efe016b0496d5fbe807539fc

View Patch ZIP pw:eip

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-local-file-inclusion-via-mediapath-parameter-in-bluebubbles-media-handling

Scores

CVSS v3 7.5

EPSS 0.0004

EPSS Percentile 12.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-73

Status published

Products (1)

openclaw/openclaw < 2026.2.14

Published Mar 05, 2026

Tracked Since Mar 06, 2026