Skip to content
CVSS 7.7 · HIGH

CVE-2026-42438

OpenClaw versions 2026.4.9 before 2026.4.10 contain a sender policy bypass vulnerability in the outbound host-media attachment read helper that allows unauthorized local file disclosure. Attackers with denied read access via toolsBySender or group policy can trigger host-media attachment loading to bypass sender and group-scoped authorization boundaries and retrieve readable local files through the outbound media path.

View on NVD

Analysis

OpenClaw is a niche open-source project that is not widely used in the common web, mobile, or backend developer stack. While the vulnerability allows for local file disclosure through an authorization bypass, the limited adoption of the software makes it less relevant for a general developer community alert.

Severity

Score: 7.7(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
AV: NETWORK
AC: LOW
PR: LOW
UI: NONE
S: CHANGED
C: HIGH
I: NONE
A: NONE
Weakness (CWE): CWE-863

EPSS

Probability of exploitation (next 30 days): 0.0003 (0.0%)
Percentile: 7.5%
EPSS: 2026-05-06

Affects

openclaw:openclaw

Technical description

OpenClaw versions 2026.4.9 before 2026.4.10 contain a sender policy bypass vulnerability in the outbound host-media attachment read helper that allows unauthorized local file disclosure. Attackers with denied read access via toolsBySender or group policy can trigger host-media attachment loading to bypass sender and group-scoped authorization boundaries and retrieve readable local files through the outbound media path.

Published: 5/5/2026, 12:16:18 PM
Last modified: 5/7/2026, 1:59:57 AM

References

HomeEventsBlogResourcesTeam