VYPR
Low severity3.7NVD Advisory· Published May 11, 2026· Updated May 13, 2026

CVE-2026-44996

CVE-2026-44996

Description

OpenClaw before 2026.4.15 contains an arbitrary local file read vulnerability in the webchat audio embedding helper that fails to apply local media root containment checks. Attackers can influence agent or tool-produced ReplyPayload.mediaUrl parameters to resolve absolute local paths or file URLs, read audio-like files, and embed them base64-encoded into webchat responses.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3
  • OpenClaw/Openclawreferences3 versions
    (expand)+ 2 more
    • (no CPE)
    • cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*range: <2026.4.15
    • (no CPE)range: <2026.4.15

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.