GHSA-gfg9-5357-hv4c

Source

https://github.com/advisories/GHSA-gfg9-5357-hv4c

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-gfg9-5357-hv4c/GHSA-gfg9-5357-hv4c.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-gfg9-5357-hv4c

Downstream

MINI-rqw2-2hhm-r3x5

Published

2026-04-29T21:34:39Z

Modified

2026-05-05T16:06:43.026099Z

Severity

6.0 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

OpenClaw: Webchat audio embedding could read local files without local-root containment

Details

Impact

OpenClaw deployments before 2026.4.15 could embed host-local audio files into webchat responses without applying the local media root containment check used by other media-serving paths.

If an attacker could influence an agent or tool-produced ReplyPayload.mediaUrl, the webchat audio embedding helper could resolve an absolute local path or file: URL, read an audio-like file under the size cap, and base64-encode it into the webchat media response. This crossed the model/tool-output boundary into a host file read. Prompt injection or malicious tool output is a delivery mechanism; the security boundary failure is the missing local-root containment check.

The impact is narrow: the file had to be readable by the gateway process, have an audio-like extension, and fit within the webchat audio size cap. The issue exposed contents into the webchat assistant/media transcript path; it was not a general remote filesystem API.

Affected Packages / Versions

Package: openclaw on npm
Affected versions: <= 2026.4.14
Patched version: 2026.4.15

The latest public release, 2026.4.21, also contains the fix.

Patches

The public fix threads the applicable local media roots into the webchat audio embedding path and calls assertLocalMediaAllowed before local audio content is read. Current main also includes an additional trustedLocalMedia gate so untrusted model/tool payloads cannot opt into local audio embedding.

Fix commit:

6e58f1f9f54bca1fea1268ec0ee4c01a2af03dde

Workarounds

Upgrade to openclaw@2026.4.15 or later. The latest public release, 2026.4.21, is fixed. Before upgrading, avoid exposing webchat sessions to untrusted prompt/tool content that can influence reply media URLs.

Credits

OpenClaw thanks @zsxsoft for reporting.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-29T21:34:39Z",
    "cwe_ids": [
        "CWE-200",
        "CWE-22"
    ],
    "severity": "MODERATE",
    "nvd_published_at": null
}

References

Affected packages

npm / openclaw

Package

Name: openclaw; View open source insights on deps.dev
Purl: pkg:npm/openclaw

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2026.4.15

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-gfg9-5357-hv4c/GHSA-gfg9-5357-hv4c.json"

last_known_affected_version_range

"<= 2026.4.14"