Low severity3.7NVD Advisory· Published May 11, 2026· Updated May 13, 2026
CVE-2026-44996
CVE-2026-44996
Description
OpenClaw before 2026.4.15 contains an arbitrary local file read vulnerability in the webchat audio embedding helper that fails to apply local media root containment checks. Attackers can influence agent or tool-produced ReplyPayload.mediaUrl parameters to resolve absolute local paths or file URLs, read audio-like files, and embed them base64-encoded into webchat responses.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3Patches
Vulnerability mechanics
References
3- github.com/openclaw/openclaw/commit/6e58f1f9f54bca1fea1268ec0ee4c01a2af03ddenvdPatch
- github.com/openclaw/openclaw/security/advisories/GHSA-gfg9-5357-hv4cnvdThird Party Advisory
- www.vulncheck.com/advisories/openclaw-arbitrary-local-file-read-via-webchat-audio-embeddingnvdThird Party AdvisoryPatch
News mentions
0No linked articles in our index yet.