CVE-2026-42424 | THREATINT

Description

OpenClaw before 2026.4.8 treats shared reply MEDIA paths as trusted, allowing crafted references to trigger cross-channel local file exfiltration. Attackers can exploit this by crafting malicious shared reply MEDIA references to cause another channel to read local file paths as trusted generated media.

PUBLISHED Reserved 2026-04-27 | Published 2026-04-28 | Updated 2026-04-29 | Assigner VulnCheck

MEDIUM: 5.9CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

MEDIUM: 5.7CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Problem types

CWE-73: External Control of File Name or Path

Product status

Default status

unaffected

Any version before 2026.4.8

affected

2026.4.8 (semver)

unaffected

Credits

Yuki Shiroi (@threalwinky) reporter

References

github.com/...enclaw/security/advisories/GHSA-qqq7-4hxc-x63c (GitHub Security Advisory (GHSA-qqq7-4hxc-x63c)) vendor-advisory

github.com/...ommit/d7c3210cd6f5fdfdc1beff4c9541673e814354d5 (Patch Commit) patch

www.vulncheck.com/...filtration-via-shared-reply-media-paths (VulnCheck Advisory: OpenClaw < 2026.4.8 - Local File Exfiltration via Shared Reply MEDIA Paths) third-party-advisory

cve.org (CVE-2026-42424)

nvd.nist.gov (CVE-2026-42424)

Download JSON