OpenClaw BlueBubbles Extension Local File Inclusion Vulnerability

A local file inclusion vulnerability has been identified in the OpenClaw application, specifically within the BlueBubbles extension, in versions prior to 2026.2.14. This vulnerability allows attackers to read arbitrary files from the local filesystem. The issue arises in the 'sendBlueBubblesMedia' function, which handles media path parameters without proper validation against an allowlist. As a result, attackers can exploit this flaw to access sensitive files, such as '/etc/passwd', and exfiltrate them as media attachments.

Impact

Exploitation of this vulnerability allows for unauthorized reading of local files, including sensitive information accessible to the OpenClaw process.

Reproduction

To reproduce this vulnerability, send a media attachment using the BlueBubbles extension without configuring the 'mediaLocalRoots' allowlist. The 'sendBlueBubblesMedia' function will accept the mediaPath parameter as a local file path, leading to the inclusion of files like '/etc/passwd' as attachments.

Remediation

Users should upgrade to OpenClaw version 2026.2.14 or later and configure the 'channels.bluebubbles.mediaLocalRoots' setting to include explicit trusted directories.