OpenClaw Path Traversal Vulnerability in Windows Media Loaders
Vulnerability
A path traversal vulnerability has been identified in OpenClaw versions prior to 2026.3.22. This vulnerability exists in Windows media loaders that accept remote-host file URLs and UNC-style paths without proper local-path validation. As a result, attackers can exploit this issue by providing network-hosted file targets that are mistakenly treated as local content, thereby bypassing intended access restrictions.
Impact
Exploitation of this vulnerability allows for path traversal, where remote-host file URLs and UNC paths can be accepted as local files, potentially leading to unauthorized access or manipulation of local resources.
Reproduction
The vulnerability can be reproduced by using OpenClaw versions prior to 2026.3.22 and attempting to load media from remote-host file URLs or Windows network paths. This can be done by mocking the process.platform to 'win32' and using a file URL or UNC path that points to a file share.
Remediation
Users can upgrade to OpenClaw version 2026.3.22 or later to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.