CVE-2026-25475: OpenClaw: path traversal enables arbitrary file read

MEDIUM PoC AVAILABLE
Published February 4, 2026
CISO Take

OpenClaw's media path parser (src/media/parse.ts) fails to reject absolute paths, home-directory references, and directory traversal sequences, allowing any agent context — including one manipulated via a malicious skill or prompt injection — to output MEDIA:/home/user/.ssh/id_rsa or MEDIA:/etc/shadow and silently deliver file contents to the conversation channel. With a public PoC already circulating and 11 prior CVEs in this package, exploitation friction is minimal; the parallel malicious-skills campaign documented in AIID #1368 (17% of audited skills assessed as malicious on ClawHub) provides a ready-made delivery chain that maps directly onto this vulnerability. Patch to version 2026.1.30 immediately, restrict the OpenClaw process to a dedicated low-privilege account, and scan conversation logs for MEDIA: tokens referencing absolute paths outside expected media directories.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Contextual risk is elevated beyond the CVSS 6.5 medium score. The CVSS vector (AV:N/AC:L/PR:L/UI:N/C:H) confirms low-complexity network exploitation with high confidentiality impact — an attacker needs only a low-privilege position (e.g., a published skill or an injected prompt in processed content) to reach SSH keys, API tokens, .env files, and OS credential stores. The public PoC lowers the bar to script-kiddie level, and the documented malicious-skills ecosystem (AIID #1368) means a working exploit delivery chain already exists in the wild. Desktop deployments running as the primary user account face the broadest filesystem exposure, as no chroot or sandboxing is applied by default.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw pip No patch
4 dependents 41% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
6.5 / 10
EPSS
0.7%
chance of exploitation in 30 days
Higher than 50% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I None
A None

What should I do?

5 steps
  1. Patch immediately to OpenClaw 2026.1.30, which sanitizes paths in isValidMedia() to reject absolute paths, ~ expansions, and ../ traversal sequences.

  2. Until patched, apply OS-level filesystem restrictions: run OpenClaw under a dedicated service account with an AppArmor or SELinux profile confining readable paths to explicitly allowlisted media directories.

  3. Disable or quarantine third-party skills — given AIID #1368, treat unverified ClawHub skills as active threat vectors and audit all installed skills against a known-good list.

  4. Search conversation and audit logs for MEDIA: tokens followed by paths referencing /etc/, ~/.ssh/, ~/.aws/, ~/.config/, or any path outside the intended media directory.

  5. Rotate exposed secrets (API keys, SSH keys, tokens, passwords) if OpenClaw ran unpatched alongside external or community skills.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - AI system security testing
NIST AI RMF
MANAGE 2.2 - Risk response — treatment of identified AI risks
OWASP LLM Top 10
LLM06 - Sensitive Information Disclosure LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-25475?

OpenClaw's media path parser (src/media/parse.ts) fails to reject absolute paths, home-directory references, and directory traversal sequences, allowing any agent context — including one manipulated via a malicious skill or prompt injection — to output MEDIA:/home/user/.ssh/id_rsa or MEDIA:/etc/shadow and silently deliver file contents to the conversation channel. With a public PoC already circulating and 11 prior CVEs in this package, exploitation friction is minimal; the parallel malicious-skills campaign documented in AIID #1368 (17% of audited skills assessed as malicious on ClawHub) provides a ready-made delivery chain that maps directly onto this vulnerability. Patch to version 2026.1.30 immediately, restrict the OpenClaw process to a dedicated low-privilege account, and scan conversation logs for MEDIA: tokens referencing absolute paths outside expected media directories.

Is CVE-2026-25475 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-25475, increasing the risk of exploitation.

How to fix CVE-2026-25475?

1. Patch immediately to OpenClaw 2026.1.30, which sanitizes paths in isValidMedia() to reject absolute paths, ~ expansions, and ../ traversal sequences. 2. Until patched, apply OS-level filesystem restrictions: run OpenClaw under a dedicated service account with an AppArmor or SELinux profile confining readable paths to explicitly allowlisted media directories. 3. Disable or quarantine third-party skills — given AIID #1368, treat unverified ClawHub skills as active threat vectors and audit all installed skills against a known-good list. 4. Search conversation and audit logs for MEDIA: tokens followed by paths referencing /etc/, ~/.ssh/, ~/.aws/, ~/.config/, or any path outside the intended media directory. 5. Rotate exposed secrets (API keys, SSH keys, tokens, passwords) if OpenClaw ran unpatched alongside external or community skills.

What systems are affected by CVE-2026-25475?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Personal AI assistants, Plugin and skill ecosystems, Multi-modal AI systems.

What is the CVSS score for CVE-2026-25475?

CVE-2026-25475 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.74%.

What is the AI security impact?

Affected AI Architectures

AI agent frameworksPersonal AI assistantsPlugin and skill ecosystemsMulti-modal AI systems

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool
AML.T0037 Data from Local System
AML.T0051.001 Indirect
AML.T0053 AI Agent Tool Invocation
AML.T0086 Exfiltration via AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.6
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM06, LLM08

What are the technical details?

Original Advisory

OpenClaw is a personal AI assistant. Prior to version 2026.1.30, the isValidMedia() function in src/media/parse.ts allows arbitrary file paths including absolute paths, home directory paths, and directory traversal sequences. An agent can read any file on the system by outputting MEDIA:/path/to/file, exfiltrating sensitive data to the user/channel. This issue has been patched in version 2026.1.30.

Exploitation Scenario

An attacker publishes a benign-looking productivity skill on ClawHub. Embedded in the skill's response templates is an indirect prompt injection payload instructing the agent to output MEDIA:/home/victim/.ssh/id_rsa, MEDIA:/home/victim/.env, and MEDIA:/home/victim/.aws/credentials in sequence. When the victim installs and invokes the skill, OpenClaw processes the injected instructions, calls isValidMedia() on each absolute path, and — due to the absence of path sanitization — renders the file contents inline in the conversation. A second capability within the malicious skill (or a listening attacker with channel access) captures the output and forwards it to an attacker-controlled server. The exploit requires no custom tooling: the public PoC demonstrates the path traversal, and the ClawHub distribution channel provides the social-engineering wrapper at no additional cost.

Weaknesses (CWE)

CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

  • [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Timeline

Published
February 4, 2026
Last Modified
February 13, 2026
First Seen
February 4, 2026

Related Vulnerabilities