GHSA-c9h3-5p7r-mrjh: OpenClaw path traversal

Q: Is GHSA-c9h3-5p7r-mrjh actively exploited?

No confirmed active exploitation of GHSA-c9h3-5p7r-mrjh has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-c9h3-5p7r-mrjh?

1. Upgrade openclaw to version 2026.4.10 or newer; the current latest release, 2026.4.14, already includes the fix. 2. If immediate upgrade is blocked, disable or restrict Discord event creation actions in the agent configuration until patched. 3. Audit existing event-create workflows for any image parameters containing local file paths (file:// URIs, relative paths, or UNC paths). 4. Apply least-privilege file system controls on the agent process host to limit the blast radius of any local file exposure. 5. Monitor agent logs for eventCreate calls with non-HTTP(S) image parameter values as an indicator of exploitation attempts.

Q: What systems are affected by GHSA-c9h3-5p7r-mrjh?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Discord integration pipelines, event-driven agent workflows, agentic tool execution environments.

Q: What is the CVSS score for GHSA-c9h3-5p7r-mrjh?

No CVSS score has been assigned yet.

CISO Take

openclaw's npm package contains a path traversal flaw (CWE-22) where Discord event cover image parameters were not routed through the sandbox media normalization pipeline, letting host-local file references flow unchecked into channel action paths that expect sanitized URLs. With 135 historical CVEs in this single package, this recurring pattern of input validation failures in AI agent integrations signals systemic security debt that extends well beyond this individual issue. Blast radius is currently limited—four known direct dependents, no active exploitation in CISA KEV, and no public PoC or scanner template—but agentic deployments processing Discord events may be exposed to local file leakage through crafted event image parameters. Upgrade to openclaw 2026.4.10 or later (current stable: 2026.4.14) and audit Discord event-create workflows for unexpected local path references in image parameters.

Sources: GitHub Advisory ATLAS

What is the risk?

Medium risk overall. No CVSS vector or EPSS data is available, and active exploitation evidence is absent—not in CISA KEV, no public PoC, no Nuclei template. The four downstream dependents constrain immediate blast radius significantly. However, the sandbox bypass nature of this flaw is notable in agentic AI deployments where the agent process may have access to sensitive host files such as credentials, API keys, and model weights. The package's 135-CVE history suggests systemic input validation weaknesses that compound the risk profile and should prompt a broader security audit of the integration.

How does the attack unfold?

Discovery

Adversary identifies an openclaw-based AI agent deployment with Discord integration enabled and event-create permissions active.

AML.T0084

Exploitation

Attacker crafts a Discord eventCreate call with an image parameter containing a host-local file path, triggering the unpatched normalization bypass in openclaw versions 2026.4.7–2026.4.9.

AML.T0097

Data Access

The unsanitized local file reference bypasses sandbox normalization and reaches the channel action handler, which reads the referenced host-local file as if it were a valid media URL.

AML.T0037

Exfiltration

Sensitive host file contents—credentials, API keys, model configuration, or .env secrets—are leaked through the Discord channel output or agent response to the adversary.

AML.T0025

Discovery

Adversary identifies an openclaw-based AI agent deployment with Discord integration enabled and event-create permissions active.

AML.T0084

Exploitation

Attacker crafts a Discord eventCreate call with an image parameter containing a host-local file path, triggering the unpatched normalization bypass in openclaw versions 2026.4.7–2026.4.9.

AML.T0097

Data Access

The unsanitized local file reference bypasses sandbox normalization and reaches the channel action handler, which reads the referenced host-local file as if it were a valid media URL.

AML.T0037

Exfiltration

Sensitive host file contents—credentials, API keys, model configuration, or .env secrets—are leaked through the Discord channel output or agent response to the adversary.

AML.T0025

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	>= 2026.4.7, < 2026.4.10	`2026.4.10`
4 dependents 36% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

5 steps

Upgrade openclaw to version 2026.4.10 or newer; the current latest release, 2026.4.14, already includes the fix.
If immediate upgrade is blocked, disable or restrict Discord event creation actions in the agent configuration until patched.
Audit existing event-create workflows for any image parameters containing local file paths (file:// URIs, relative paths, or UNC paths).
Apply least-privilege file system controls on the agent process host to limit the blast radius of any local file exposure.
Monitor agent logs for eventCreate calls with non-HTTP(S) image parameter values as an indicator of exploitation attempts.

How is it classified?

Auth Bypass Data Leakage Data Extraction Agent Framework Plugin AML.T0037 - Data from Local System AML.T0053 - AI Agent Tool Invocation AML.T0097 - Virtualization/Sandbox Evasion AML.T0105 - Escape to Host

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.2 - AI system input control

NIST AI RMF

MANAGE 2.2 - Risk treatment

OWASP LLM Top 10

LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is GHSA-c9h3-5p7r-mrjh?

openclaw's npm package contains a path traversal flaw (CWE-22) where Discord event cover image parameters were not routed through the sandbox media normalization pipeline, letting host-local file references flow unchecked into channel action paths that expect sanitized URLs. With 135 historical CVEs in this single package, this recurring pattern of input validation failures in AI agent integrations signals systemic security debt that extends well beyond this individual issue. Blast radius is currently limited—four known direct dependents, no active exploitation in CISA KEV, and no public PoC or scanner template—but agentic deployments processing Discord events may be exposed to local file leakage through crafted event image parameters. Upgrade to openclaw 2026.4.10 or later (current stable: 2026.4.14) and audit Discord event-create workflows for unexpected local path references in image parameters.

Is GHSA-c9h3-5p7r-mrjh actively exploited?

No confirmed active exploitation of GHSA-c9h3-5p7r-mrjh has been reported, but organizations should still patch proactively.

How to fix GHSA-c9h3-5p7r-mrjh?

1. Upgrade openclaw to version 2026.4.10 or newer; the current latest release, 2026.4.14, already includes the fix. 2. If immediate upgrade is blocked, disable or restrict Discord event creation actions in the agent configuration until patched. 3. Audit existing event-create workflows for any image parameters containing local file paths (file:// URIs, relative paths, or UNC paths). 4. Apply least-privilege file system controls on the agent process host to limit the blast radius of any local file exposure. 5. Monitor agent logs for eventCreate calls with non-HTTP(S) image parameter values as an indicator of exploitation attempts.

What systems are affected by GHSA-c9h3-5p7r-mrjh?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Discord integration pipelines, event-driven agent workflows, agentic tool execution environments.

What is the CVSS score for GHSA-c9h3-5p7r-mrjh?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

AI agent frameworksDiscord integration pipelinesevent-driven agent workflowsagentic tool execution environments

MITRE ATLAS Techniques

AML.T0037 Data from Local System

AML.T0053 AI Agent Tool Invocation

AML.T0097 Virtualization/Sandbox Evasion

AML.T0105 Escape to Host

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.9.2

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

## Summary Discord event cover images bypassed sandbox media normalization. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `>= 2026.4.7 < 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact Discord event cover image parameters could bypass the sandbox media normalization path used for outbound local media, allowing host-local media references to reach a channel action path that expected normalized media. ## Technical Details The fix includes Discord `eventCreate.image` in sandbox media normalization and adds coverage for the event-create media path. ## Fix The issue was fixed in #64377. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `979c6f09d6fad96596feb91c905934be7e0b4f15` - PR: #64377 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.

Exploitation Scenario

An adversary with the ability to trigger Discord event creation through an openclaw-based AI agent—either directly or via a compromised workflow—crafts an eventCreate.image parameter containing a host-local file path such as file:///opt/app/.env or ../../config/secrets.json. Because this parameter bypasses the sandbox media normalization path, the local reference is forwarded to the channel action handler without sanitization. The handler processes the local path as a valid media reference, reading and potentially surfacing the file contents through the Discord channel output or agent response, effectively exfiltrating credentials, API keys, or model configuration from the agent host.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.