AI Threat Alert
GHSA-66r7-m7xm-v49h: openclaw: path traversal exposes host files via media tags
GHSA-66r7-m7xm-v49h HIGHThe openclaw QQBot integration fails to enforce filesystem boundaries when processing outbound media tags embedded in AI-generated reply text, allowing an attacker to read arbitrary host files outside the intended media storage directory. With 135 CVEs already attributed to this package, openclaw's security track record signals systemic deficiencies that should concern any team relying on it as part of an AI agent deployment. While no public exploit or active exploitation (KEV) has been reported, path traversal in AI agent output pipelines is trivially exploitable and can expose credentials, configuration files, and other sensitive host data through a channel that defenders rarely monitor. Teams running openclaw < 2026.4.10 should upgrade to openclaw@2026.4.14 immediately; if patching is not immediately feasible, restrict the process to a sandboxed filesystem with no access to sensitive paths.
What is the risk?
High risk for AI agent deployments where openclaw processes QQBot messages from untrusted or semi-trusted users. The vulnerability sits in the output handling layer of an AI agent — a relatively novel attack surface where defenders typically lack visibility and logging coverage. The package's history of 135 CVEs indicates insufficient security investment by maintainers, warranting elevated scrutiny. With only 4 downstream npm dependents the blast radius is contained, but those deployments are likely purpose-built AI agent systems where host credential disclosure would be catastrophic.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | npm | < 2026.4.10 | 2026.4.10 |
Do you use OpenClaw? You're affected.
How severe is it?
What should I do?
5 steps-
Patch: Upgrade openclaw to >= 2026.4.10; npm release 2026.4.14 is the recommended stable target.
-
Immediate workaround: run the openclaw process under a dedicated OS user with filesystem access scoped strictly to the media storage directory using chroot or container isolation with no sensitive volume mounts.
-
Detection: audit QQBot outbound message logs for media tags containing path traversal sequences (../, %2e%2e%2f, and encoded variants).
-
Defense-in-depth: ensure no sensitive files (credentials, keys, .env) reside on filesystem paths accessible to the openclaw process.
-
Post-patch validation: confirm the patched version rejects media tags referencing paths outside the configured media storage root before re-exposing to untrusted users.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-66r7-m7xm-v49h?
The openclaw QQBot integration fails to enforce filesystem boundaries when processing outbound media tags embedded in AI-generated reply text, allowing an attacker to read arbitrary host files outside the intended media storage directory. With 135 CVEs already attributed to this package, openclaw's security track record signals systemic deficiencies that should concern any team relying on it as part of an AI agent deployment. While no public exploit or active exploitation (KEV) has been reported, path traversal in AI agent output pipelines is trivially exploitable and can expose credentials, configuration files, and other sensitive host data through a channel that defenders rarely monitor. Teams running openclaw < 2026.4.10 should upgrade to openclaw@2026.4.14 immediately; if patching is not immediately feasible, restrict the process to a sandboxed filesystem with no access to sensitive paths.
Is GHSA-66r7-m7xm-v49h actively exploited?
No confirmed active exploitation of GHSA-66r7-m7xm-v49h has been reported, but organizations should still patch proactively.
How to fix GHSA-66r7-m7xm-v49h?
1. Patch: Upgrade openclaw to >= 2026.4.10; npm release 2026.4.14 is the recommended stable target. 2. Immediate workaround: run the openclaw process under a dedicated OS user with filesystem access scoped strictly to the media storage directory using chroot or container isolation with no sensitive volume mounts. 3. Detection: audit QQBot outbound message logs for media tags containing path traversal sequences (../, %2e%2e%2f, and encoded variants). 4. Defense-in-depth: ensure no sensitive files (credentials, keys, .env) reside on filesystem paths accessible to the openclaw process. 5. Post-patch validation: confirm the patched version rejects media tags referencing paths outside the configured media storage root before re-exposing to untrusted users.
What systems are affected by GHSA-66r7-m7xm-v49h?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI chatbot deployments, QQBot AI integrations, self-hosted AI agents.
What is the CVSS score for GHSA-66r7-m7xm-v49h?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0037 Data from Local System AML.T0049 Exploit Public-Facing Application AML.T0051.001 Indirect AML.T0086 Exfiltration via AI Agent Tool Invocation Compliance Controls Affected
What are the technical details?
Original Advisory
## Summary QQBot media tags could read arbitrary local files through reply text. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `< 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact QQBot outbound media tags in AI reply text could reference host-local paths outside the intended media storage boundary, allowing local file disclosure through outbound media handling. ## Technical Details The fix enforces the media storage boundary for all outbound QQBot local file paths. ## Fix The issue was fixed in #63271. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `604777e4414cc3b2ff8861f18f4fb04374c702c6` - PR: #63271 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @feiyang666 of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting this issue.
Exploitation Scenario
An attacker sends a QQBot message crafted to manipulate the AI agent's reply generation — either through direct input or indirect prompt injection via a poisoned data source accessible to the agent. The AI includes a media tag such as [CQ:image,file=../../../.env] or [CQ:image,file=/etc/passwd] in its reply text. The pre-patch openclaw media handler resolves this local file path without enforcing the media storage boundary, reads the file, and delivers its contents back to the attacker via the normal QQBot media response channel. No authentication bypass or elevated privileges are required beyond the ability to send a message to the bot — making this exploitable by any user with QQBot access.
Weaknesses (CWE)
CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
- [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
- [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 OpenClaw: scope bypass escalates low-priv to admin
Same package: openclaw CVE-2026-32922 9.9 OpenClaw: privilege escalation to RCE via token scope bypass
Same package: openclaw CVE-2026-32038 9.8 Analysis pending
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw