Files or Directories Accessible to External Parties in OpenClaw - CVE-2026-41366
Published: April 30, 2026
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to files or directories accessible to external parties in appendLocalMediaParentRoots when expanding tool-fs roots for local media parent directories. A remote user can cause model-initiated access to arbitrary host files to disclose sensitive information.
Exploitation requires configuration that already permits tool-fs root expansion.