Path traversal in OpenClaw - CVE-2026-29611
Published: May 4, 2026
Vulnerability identifier: #VU129432
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-29611
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to path traversal in the sendBlueBubblesMedia function when processing a non-HTTP media source through the mediaPath parameter. A remote attacker can supply a crafted filesystem path to disclose sensitive information.
Exploitation is limited to attackers able to trigger BlueBubbles media sends, and the disclosed files are those accessible to the OpenClaw process.
How to mitigate CVE-2026-29611
Install security update from vendor's website.