Skip to content
CVSS 7.7 · HIGH

CVE-2026-42438

OpenClaw versions 2026.4.9 before 2026.4.10 contain a sender policy bypass vulnerability in the outbound host-media attachment read helper that allows unauthorized local file disclosure. Attackers with denied read access via toolsBySender or group policy can trigger host-media attachment loading to bypass sender and group-scoped authorization boundaries and retrieve readable local files through the outbound media path.

Ver en NVD

Análisis

OpenClaw is a niche open-source project that is not widely used in the common web, mobile, or backend developer stack. While the vulnerability allows for local file disclosure through an authorization bypass, the limited adoption of the software makes it less relevant for a general developer community alert.

Severidad

Puntaje: 7.7(HIGH)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
AV: NETWORK
AC: LOW
PR: LOW
UI: NONE
S: CHANGED
C: HIGH
I: NONE
A: NONE
Tipo de falla (CWE): CWE-863

EPSS

Probabilidad de explotación (próx. 30 días): 0.0003 (0.0%)
Percentil: 7.5%
EPSS: 2026-05-06

Afecta

openclaw:openclaw

Descripción técnica

OpenClaw versions 2026.4.9 before 2026.4.10 contain a sender policy bypass vulnerability in the outbound host-media attachment read helper that allows unauthorized local file disclosure. Attackers with denied read access via toolsBySender or group policy can trigger host-media attachment loading to bypass sender and group-scoped authorization boundaries and retrieve readable local files through the outbound media path.

Publicada: 5/5/2026, 12:16:18
Última modificación: 7/5/2026, 1:59:57

Referencias

InicioEventosBlogRecursosEquipo