Description
OpenClaw versions prior to 2026.2.14 contain a local file inclusion vulnerability in BlueBubbles extension (must be installed and enabled) media path handling that allows attackers to read arbitrary files from the local filesystem. The sendBlueBubblesMedia function fails to validate mediaPath parameters against an allowlist, enabling attackers to request sensitive files like /etc/passwd and exfiltrate them as media attachments.
Published: 2026-03-05
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a Local File Inclusion flaw in the BlueBubbles media handling component of OpenClaw. By sending crafted requests to the sendBlueBubblesMedia endpoint, an attacker can supply a mediaPath value that bypasses the lack of validation and points to arbitrary files on the server filesystem. This allows reading sensitive files such as /etc/passwd and exfiltrating them as media attachments. The weakness corresponds to CWE‑73 results in confidentiality exposure.

Affected Systems

OpenClaw products prior to version 2026.2.14 are affected. The flaw exists only when the BlueBubbles extension is installed and enabled; no other OpenClaw components are impacted. Users running these older versions should verify whether the BlueBubbles feature is in use and apply the latest release otherwise.

Risk and Exploitability

The CVSS score of 8.2 classifies this as a high‑severity vulnerability. The EPSS score of less than 1% indicates that, at present, exploitation is unlikely to be widespread, but the concept of a local file inclusion remains a serious risk. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the ability to target the sendBlueBubblesMedia endpoint, either locally or via a remote attack vector, and to supply a malicious mediaPath parameter. This is inferred from the description and is not directly stated in the advisory.

Generated by OpenCVE AI on April 16, 2026 at 11:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.2.14 or later, which includes proper validation of mediaPath parameters.
  • If the BlueBubbles extension is not required, disable or remove it to eliminate the attack surface.
  • As a temporary measure, configure the application to restrict the directories that can be accessed via mediaPath, for example by enforcing an explicit allowlist of safe folders.

Generated by OpenCVE AI on April 16, 2026 at 11:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rwj8-p9vq-25gv OpenClaw has a LFI in BlueBubbles media path handling
History

Mon, 09 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Thu, 05 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.2.14 contain a local file inclusion vulnerability in BlueBubbles extension (must be installed and enabled) media path handling that allows attackers to read arbitrary files from the local filesystem. The sendBlueBubblesMedia function fails to validate mediaPath parameters against an allowlist, enabling attackers to request sensitive files like /etc/passwd and exfiltrate them as media attachments.
Title OpenClaw < 2026.2.14 - Local File Inclusion via mediaPath Parameter in BlueBubbles Media Handling
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-73
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-09T18:15:05.829Z

Reserved: 2026-03-04T16:16:15.968Z

Link: CVE-2026-29611

cve-icon Vulnrichment

Updated: 2026-03-09T18:15:00.303Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T22:16:24.460

Modified: 2026-03-11T00:58:54.873

Link: CVE-2026-29611

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:00:11Z

Weaknesses