CVE-2026-27522
MEDIUM WAF: High
CVSS 5.5
Published: 2026-03-18
CWE-22
OpenClaw versions prior to 2026.2.24 contain a local media root bypass vulnerability in sendAttachment and setGroupIcon message actions when sandboxRoot is unset. Attackers can hydrate media from local absolute paths to read arbitrary host files accessible by the runtime user.
WAF Coverage Analysis
Path Traversal
High WAF Coverage
OWASP: A01:2021 Broken Access Control
930xxx - Local File Inclusion
Affected Software
| Vendor | Product | Version |
|---|---|---|
| openclaw | openclaw | up to 2026.2.24 |
References
- github.com (Patch)
- github.com (Patch, Vendor Advisory)
- www.vulncheck.com (Third Party Advisory)