GHSA-gfg9-5357-hv4c: OpenClaw path traversal

Q: Is GHSA-gfg9-5357-hv4c actively exploited?

No confirmed active exploitation of GHSA-gfg9-5357-hv4c has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-gfg9-5357-hv4c?

1. PATCH: Upgrade to openclaw@2026.4.15 or latest stable (2026.4.21). The fix threads local media roots into the webchat audio embedding path and calls assertLocalMediaAllowed before any local audio content is read; 2026.4.21 adds a trustedLocalMedia gate blocking untrusted model/tool payloads from opting into local audio embedding entirely. 2. WORKAROUND (pre-patch): Disable webchat audio embedding for sessions that process untrusted prompt or tool content. Restrict agent tool configurations so that tool-produced payloads cannot set arbitrary mediaUrl values. 3. DETECTION: Monitor gateway process file access patterns for reads outside expected media root directories. Review webchat transcripts for unexpected audio attachments or anomalous base64-encoded media payloads. 4. AUDIT: Review all agent tool definitions that produce ReplyPayload objects and validate that local file path injection into mediaUrl fields is not possible through any tool-output path.

Q: What systems are affected by GHSA-gfg9-5357-hv4c?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, webchat deployments, AI agent tool pipelines.

Q: What is the CVSS score for GHSA-gfg9-5357-hv4c?

No CVSS score has been assigned yet.

CISO Take

OpenClaw's webchat audio embedding helper lacked the local-root containment check applied to all other media-serving paths, meaning an attacker who could influence a tool-produced ReplyPayload.mediaUrl could coerce the gateway process into reading host-local files with audio-like extensions and receiving them base64-encoded in the webchat transcript. This is a trust-boundary failure at the AI/tool-output layer — prompt injection or malicious tool content is the delivery mechanism, but the root cause is missing filesystem containment in an agent framework. With only 4 downstream npm dependents, no CISA KEV listing, and no public exploit, the blast radius is currently limited, but any OpenClaw deployment where agents process untrusted external content faces a realistic exfiltration path. Upgrade to openclaw@2026.4.15 or later; until patched, prevent untrusted prompt and tool content from influencing reply media URLs.

Sources: GitHub Advisory ATLAS

What is the risk?

Medium risk overall. Exploitation requires prompt injection capability or the ability to influence agent tool output — not trivial, but realistic in any OpenClaw deployment that ingests external documents, user-supplied content, or third-party tool responses. File access is constrained to audio-like extensions readable by the gateway process within the audio size cap, which limits but does not eliminate the attack surface: sensitive files renamed or symlinked with audio extensions could be in scope. No active exploitation observed, EPSS unavailable (new advisory), and the 4-dependent ecosystem footprint constrains immediate blast radius. For deployments where the OpenClaw agent handles untrusted external inputs, risk is elevated due to the direct host filesystem access vector.

How does the attack unfold?

Prompt Injection

Attacker delivers an indirect prompt injection payload via user input or malicious content embedded in a document or tool response processed by the OpenClaw webchat agent.

AML.T0051.001

Media URL Manipulation

The injected instruction causes the agent or an invoked tool to produce a ReplyPayload with mediaUrl set to a host-local file path (e.g., file:///etc/ssl/private/server.key.wav) instead of a legitimate media URL.

AML.T0053

Local File Read

The webchat audio embedding helper resolves the attacker-controlled path without calling assertLocalMediaAllowed, reading the host-local file outside the permitted media root as if it were a legitimate audio asset.

AML.T0037

Exfiltration via Webchat

File contents are base64-encoded and embedded into the webchat media response, delivering sensitive host file data directly to the attacker through the legitimate chat transcript channel.

AML.T0086

Prompt Injection

Attacker delivers an indirect prompt injection payload via user input or malicious content embedded in a document or tool response processed by the OpenClaw webchat agent.

AML.T0051.001

Media URL Manipulation

The injected instruction causes the agent or an invoked tool to produce a ReplyPayload with mediaUrl set to a host-local file path (e.g., file:///etc/ssl/private/server.key.wav) instead of a legitimate media URL.

AML.T0053

Local File Read

The webchat audio embedding helper resolves the attacker-controlled path without calling assertLocalMediaAllowed, reading the host-local file outside the permitted media root as if it were a legitimate audio asset.

AML.T0037

Exfiltration via Webchat

File contents are base64-encoded and embedded into the webchat media response, delivering sensitive host file data directly to the attacker through the legitimate chat transcript channel.

AML.T0086

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	<= 2026.4.14	`2026.4.15`
4 dependents 37% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

4 steps

PATCH

Upgrade to openclaw@2026.4.15 or latest stable (2026.4.21). The fix threads local media roots into the webchat audio embedding path and calls assertLocalMediaAllowed before any local audio content is read; 2026.4.21 adds a trustedLocalMedia gate blocking untrusted model/tool payloads from opting into local audio embedding entirely.
WORKAROUND (pre-patch): Disable webchat audio embedding for sessions that process untrusted prompt or tool content. Restrict agent tool configurations so that tool-produced payloads cannot set arbitrary mediaUrl values.
DETECTION

Monitor gateway process file access patterns for reads outside expected media root directories. Review webchat transcripts for unexpected audio attachments or anomalous base64-encoded media payloads.
AUDIT

Review all agent tool definitions that produce ReplyPayload objects and validate that local file path injection into mediaUrl fields is not possible through any tool-output path.

How is it classified?

Prompt Injection Data Extraction Agent Plugin AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0051.001 - Indirect AML.T0053 - AI Agent Tool Invocation AML.T0086 - Exfiltration via AI Agent Tool Invocation

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.10.3 - AI system security

NIST AI RMF

MANAGE 2.2 - Mechanisms to respond to and recover from AI risks

OWASP LLM Top 10

LLM02 - Insecure Output Handling LLM08 - Excessive Agency

Frequently Asked Questions

What is GHSA-gfg9-5357-hv4c?

OpenClaw's webchat audio embedding helper lacked the local-root containment check applied to all other media-serving paths, meaning an attacker who could influence a tool-produced ReplyPayload.mediaUrl could coerce the gateway process into reading host-local files with audio-like extensions and receiving them base64-encoded in the webchat transcript. This is a trust-boundary failure at the AI/tool-output layer — prompt injection or malicious tool content is the delivery mechanism, but the root cause is missing filesystem containment in an agent framework. With only 4 downstream npm dependents, no CISA KEV listing, and no public exploit, the blast radius is currently limited, but any OpenClaw deployment where agents process untrusted external content faces a realistic exfiltration path. Upgrade to openclaw@2026.4.15 or later; until patched, prevent untrusted prompt and tool content from influencing reply media URLs.

Is GHSA-gfg9-5357-hv4c actively exploited?

No confirmed active exploitation of GHSA-gfg9-5357-hv4c has been reported, but organizations should still patch proactively.

How to fix GHSA-gfg9-5357-hv4c?

1. PATCH: Upgrade to openclaw@2026.4.15 or latest stable (2026.4.21). The fix threads local media roots into the webchat audio embedding path and calls assertLocalMediaAllowed before any local audio content is read; 2026.4.21 adds a trustedLocalMedia gate blocking untrusted model/tool payloads from opting into local audio embedding entirely. 2. WORKAROUND (pre-patch): Disable webchat audio embedding for sessions that process untrusted prompt or tool content. Restrict agent tool configurations so that tool-produced payloads cannot set arbitrary mediaUrl values. 3. DETECTION: Monitor gateway process file access patterns for reads outside expected media root directories. Review webchat transcripts for unexpected audio attachments or anomalous base64-encoded media payloads. 4. AUDIT: Review all agent tool definitions that produce ReplyPayload objects and validate that local file path injection into mediaUrl fields is not possible through any tool-output path.

What systems are affected by GHSA-gfg9-5357-hv4c?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, webchat deployments, AI agent tool pipelines.

What is the CVSS score for GHSA-gfg9-5357-hv4c?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworkswebchat deploymentsAI agent tool pipelines

MITRE ATLAS Techniques

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

AML.T0051.001 Indirect

AML.T0053 AI Agent Tool Invocation

AML.T0086 Exfiltration via AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.10.3

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM02, LLM08

What are the technical details?

Original Advisory

## Impact OpenClaw deployments before `2026.4.15` could embed host-local audio files into webchat responses without applying the local media root containment check used by other media-serving paths. If an attacker could influence an agent or tool-produced `ReplyPayload.mediaUrl`, the webchat audio embedding helper could resolve an absolute local path or `file:` URL, read an audio-like file under the size cap, and base64-encode it into the webchat media response. This crossed the model/tool-output boundary into a host file read. Prompt injection or malicious tool output is a delivery mechanism; the security boundary failure is the missing local-root containment check. The impact is narrow: the file had to be readable by the gateway process, have an audio-like extension, and fit within the webchat audio size cap. The issue exposed contents into the webchat assistant/media transcript path; it was not a general remote filesystem API. ## Affected Packages / Versions - Package: `openclaw` on npm - Affected versions: `<= 2026.4.14` - Patched version: `2026.4.15` The latest public release, `2026.4.21`, also contains the fix. ## Patches The public fix threads the applicable local media roots into the webchat audio embedding path and calls `assertLocalMediaAllowed` before local audio content is read. Current `main` also includes an additional `trustedLocalMedia` gate so untrusted model/tool payloads cannot opt into local audio embedding. Fix commit: - `6e58f1f9f54bca1fea1268ec0ee4c01a2af03dde` ## Workarounds Upgrade to `openclaw@2026.4.15` or later. The latest public release, `2026.4.21`, is fixed. Before upgrading, avoid exposing webchat sessions to untrusted prompt/tool content that can influence reply media URLs. ## Credits OpenClaw thanks @zsxsoft for reporting.

Exploitation Scenario

An attacker interacts with a public-facing OpenClaw webchat and embeds a prompt injection payload in their input, targeting an agent that processes the request. The injected instruction causes the agent or a tool it invokes to produce a ReplyPayload with mediaUrl set to a host-local path such as file:///etc/ssl/private/server.key.wav or an absolute path to a sensitive file renamed with an audio-like extension. The webchat audio embedding helper, missing the assertLocalMediaAllowed check, resolves the path, reads the file within the audio size cap, base64-encodes the contents, and embeds them into the webchat media response. The attacker receives the exfiltrated file data directly in the chat transcript — no direct filesystem API access required, and the exfiltration channel is the legitimate webchat response.

Weaknesses (CWE)

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Primary CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary

CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

[Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.