CVE-2026-25475: OpenClaw: path traversal enables arbitrary file read

MEDIUM PoC AVAILABLE

Published February 4, 2026

CISO Take

OpenClaw's media path parser (src/media/parse.ts) fails to reject absolute paths, home-directory references, and directory traversal sequences, allowing any agent context — including one manipulated via a malicious skill or prompt injection — to output MEDIA:/home/user/.ssh/id_rsa or MEDIA:/etc/shadow and silently deliver file contents to the conversation channel. With a public PoC already circulating and 11 prior CVEs in this package, exploitation friction is minimal; the parallel malicious-skills campaign documented in AIID #1368 (17% of audited skills assessed as malicious on ClawHub) provides a ready-made delivery chain that maps directly onto this vulnerability. Patch to version 2026.1.30 immediately, restrict the OpenClaw process to a dedicated low-privilege account, and scan conversation logs for MEDIA: tokens referencing absolute paths outside expected media directories.

Sources: NVD GitHub Advisory ATLAS

Risk Assessment

Contextual risk is elevated beyond the CVSS 6.5 medium score. The CVSS vector (AV:N/AC:L/PR:L/UI:N/C:H) confirms low-complexity network exploitation with high confidentiality impact — an attacker needs only a low-privilege position (e.g., a published skill or an injected prompt in processed content) to reach SSH keys, API tokens, .env files, and OS credential stores. The public PoC lowers the bar to script-kiddie level, and the documented malicious-skills ecosystem (AIID #1368) means a working exploit delivery chain already exists in the wild. Desktop deployments running as the primary user account face the broadest filesystem exposure, as no chroot or sandboxing is applied by default.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	pip	—	No patch

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

N/A

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Recommended Action

Patch immediately to OpenClaw 2026.1.30, which sanitizes paths in isValidMedia() to reject absolute paths, ~ expansions, and ../ traversal sequences.
Until patched, apply OS-level filesystem restrictions: run OpenClaw under a dedicated service account with an AppArmor or SELinux profile confining readable paths to explicitly allowlisted media directories.
Disable or quarantine third-party skills — given AIID #1368, treat unverified ClawHub skills as active threat vectors and audit all installed skills against a known-good list.
Search conversation and audit logs for MEDIA: tokens followed by paths referencing /etc/, ~/.ssh/, ~/.aws/, ~/.config/, or any path outside the intended media directory.
Rotate exposed secrets (API keys, SSH keys, tokens, passwords) if OpenClaw ran unpatched alongside external or community skills.

Classification

Data Extraction Privacy Violation Supply Chain Agent Plugin AML.T0010.005 - AI Agent Tool AML.T0037 - Data from Local System AML.T0051.001 - Indirect AML.T0053 - AI Agent Tool Invocation AML.T0086 - Exfiltration via AI Agent Tool Invocation

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system security testing

NIST AI RMF

MANAGE 2.2 - Risk response — treatment of identified AI risks

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure LLM08 - Excessive Agency

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors high confidence

AIID #1368 documents malicious OpenClaw skills exfiltrating credentials via ClawHub — the same package and distribution ecosystem affected by CVE-2026-25475. The malicious skills campaign represents an active, real-world delivery mechanism for this path traversal, where skill-injected prompts could trigger the MEDIA: handler to exfiltrate the same credential files targeted by the AMOS stealer documented in the incident.

AIID #1368

Source: AI Incident Database (AIID)

Technical Details

NVD Description

OpenClaw is a personal AI assistant. Prior to version 2026.1.30, the isValidMedia() function in src/media/parse.ts allows arbitrary file paths including absolute paths, home directory paths, and directory traversal sequences. An agent can read any file on the system by outputting MEDIA:/path/to/file, exfiltrating sensitive data to the user/channel. This issue has been patched in version 2026.1.30.

Exploitation Scenario

An attacker publishes a benign-looking productivity skill on ClawHub. Embedded in the skill's response templates is an indirect prompt injection payload instructing the agent to output MEDIA:/home/victim/.ssh/id_rsa, MEDIA:/home/victim/.env, and MEDIA:/home/victim/.aws/credentials in sequence. When the victim installs and invokes the skill, OpenClaw processes the injected instructions, calls isValidMedia() on each absolute path, and — due to the absence of path sanitization — renders the file contents inline in the conversation. A second capability within the malicious skill (or a listening attacker with channel access) captures the output and forwards it to an attacker-controlled server. The exploit requires no custom tooling: the public PoC demonstrates the path traversal, and the ClawHub distribution channel provides the social-engineering wrapper at no additional cost.