OpenClaw Local-Root Containment Bypass Vulnerability Allowing Arbitrary File Access

A vulnerability exists in OpenClaw versions 2026.4.7 prior to 2026.4.15, where the application fails to properly enforce local-root containment on tool-result media paths. This oversight allows for arbitrary access to local files and Windows UNC paths. Attackers can exploit this by crafting malicious tool-result media references that trigger unauthorized file reads or access to network paths, potentially leading to the disclosure of sensitive information or credentials, especially on affected Windows systems.

Impact

Exploitation of this vulnerability could result in unauthorized access to local files or exposure of network credentials on affected Windows deployments.

Reproduction

The vulnerability can be reproduced by sending a tool result that includes a 'file://' URL pointing to a local file, or a Windows UNC path, such as '\\attacker\share\file.txt'. This can be done through the OpenClaw webchat interface, which will process the tool result and attempt to access the specified file or network path. The absence of proper local-root containment allows the request to reach the host system, where the file or path can be accessed, leading to potential disclosure of sensitive information.

Remediation

Users can update to OpenClaw version 2026.4.15 or later, where this vulnerability has been addressed. Instructions for updating can be found in the OpenClaw documentation.