Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.1
OpenClaw Media Parsing Flaw Allows Unauthorized File Access
GHSA-f6pf-4gjx-c94r
Summary
A security flaw in OpenClaw version 2026.3.24 and earlier allows attackers to read arbitrary files on your server. This means that a malicious user could potentially access sensitive data they shouldn't have access to. To fix this, update OpenClaw to version 2026.3.28 or later.
What to do
- Update openclaw to version 2026.3.28.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.3.24 | 2026.3.28 |
Original title
OpenClaw: Media Parsing Path Traversal Leads to Arbitrary File Read
Original description
## Summary
OpenClaw <= 2026.3.24 Media Parsing Path Traversal to Arbitrary File Read
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version: `2026.3.31`
- Vulnerable version range: `<=2026.3.24`
- Patched versions: `>= 2026.3.28`
- First stable tag containing the fix: `v2026.3.28`
## Fix Commit(s)
- `4797bbc5b96e2cca5532e43b58915c051746fe37` — 2026-03-25T13:35:16-06:00
## Release Process Note
- The fix is already present in released version `2026.3.28`.
OpenClaw <= 2026.3.24 Media Parsing Path Traversal to Arbitrary File Read
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version: `2026.3.31`
- Vulnerable version range: `<=2026.3.24`
- Patched versions: `>= 2026.3.28`
- First stable tag containing the fix: `v2026.3.28`
## Fix Commit(s)
- `4797bbc5b96e2cca5532e43b58915c051746fe37` — 2026-03-25T13:35:16-06:00
## Release Process Note
- The fix is already present in released version `2026.3.28`.
ghsa CVSS4.0
7.1
Vulnerability type
CWE-22
Path Traversal
Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026