CVE-2026-29611

OpenClaw versions prior to 2026.2.14 contain a local file inclusion vulnerability in BlueBubbles extension (must be installed and enabled) media path handling that allows attackers to read arbitrary files from the local filesystem. The sendBlueBubblesMedia function fails to validate mediaPath parameters against an allowlist, enabling attackers to request sensitive files like /etc/passwd and exfiltrate them as media attachments.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/openclaw/openclaw/commit/71f357d9498cebb0efe016b0496d5fbe807539fc	Patch
https://github.com/openclaw/openclaw/security/advisories/GHSA-rwj8-p9vq-25gv	Third Party Advisory
https://www.vulncheck.com/advisories/openclaw-local-file-inclusion-via-mediapath-parameter-in-bluebubbles-media-handling	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

History

11 Mar 2026, 00:58

Type	Values Removed	Values Added
References	~~() https://github.com/openclaw/openclaw/commit/71f357d9498cebb0efe016b0496d5fbe807539fc -~~	() https://github.com/openclaw/openclaw/commit/71f357d9498cebb0efe016b0496d5fbe807539fc - Patch
References	~~() https://github.com/openclaw/openclaw/security/advisories/GHSA-rwj8-p9vq-25gv -~~	() https://github.com/openclaw/openclaw/security/advisories/GHSA-rwj8-p9vq-25gv - Third Party Advisory
References	~~() https://www.vulncheck.com/advisories/openclaw-local-file-inclusion-via-mediapath-parameter-in-bluebubbles-media-handling -~~	() https://www.vulncheck.com/advisories/openclaw-local-file-inclusion-via-mediapath-parameter-in-bluebubbles-media-handling - Third Party Advisory
CPE		cpe:2.3:a:openclaw:openclaw::::::node.js::*
First Time		Openclaw openclaw Openclaw

09 Mar 2026, 13:36

Type	Values Removed	Values Added
Summary		(es) Las versiones de OpenClaw anteriores a la 2026.2.14 contienen una vulnerabilidad de inclusión local de ficheros en el manejo de rutas de medios de la extensión BlueBubbles (debe estar instalada y habilitada) que permite a los atacantes leer ficheros arbitrarios del sistema de ficheros local. La función sendBlueBubblesMedia no valida los parámetros mediaPath contra una lista de permitidos, permitiendo a los atacantes solicitar ficheros sensibles como /etc /passwd y exfiltrarlos como adjuntos de medios.

06 Mar 2026, 17:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~6.2~~	v2 : unknown v3 : 7.5

05 Mar 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-05 22:16

Updated : 2026-03-11 00:58

NVD link : CVE-2026-29611

Mitre link : CVE-2026-29611

CVE.ORG link : CVE-2026-29611

JSON object : View

Products Affected

openclaw

openclaw

CWE

CWE-73

External Control of File Name or Path

7.5 /10