
At a Glance
GHSA-gfg9-5357-hv4c
Identifier
High
Severity
Malicious Tool Output
Attack Vector
OpenClaw
Affected Product
A high-severity vulnerability was discovered in the OpenClaw agentic framework. The flaw allowed a malicious actor to read local files from the host system through the webchat interface. Deployments of the `openclaw` npm package before version `2026.4.14` are affected by this issue [1]. The vulnerability stems from a missing security check when embedding audio files in chat responses. A patch has been released and is available in version `2026.4.15` and later.
The Attack Chain: From Prompt to File Read
The attack exploits the boundary between an AI agent's generated output and the server-side code that processes it. In an OpenClaw environment, an AI model can use tools to generate rich replies, including media. This vulnerability targets the `ReplyPayload.mediaUrl` field, which an agent or its tools can populate. An attacker's goal is to influence this field's content, potentially through prompt injection or by compromising a tool used by the agent.
An attacker can craft a payload that sets the `mediaUrl` to a local file path, such as `file:///etc/hosts` or an absolute path like `/var/log/app.log`. The OpenClaw webchat component would then receive this instruction. It would attempt to embed the specified resource as an audio file in the chat response for the user to hear.
The core of the vulnerability lies in this step. The audio embedding helper processed the local file path without validating it against a list of approved media directories. The system would read the specified file, encode its contents, and embed it into the webchat's media response [2]. This effectively exfiltrated the local file's content to the attacker, who could then read it from the chat transcript.
OPERATOR ACTION
Upgrade OpenClaw deployments to version 2026.4.15 or later to mitigate this vulnerability.
A Missing Boundary Check
The technical root cause was a simple but critical oversight. The code path responsible for embedding audio files in webchat responses failed to perform a containment check. This type of check, often called path traversal protection, ensures that file paths do not point to locations outside of an intended directory. The vulnerability was an isolated gap in protection.
Other parts of the OpenClaw codebase that serve media files correctly implement this security measure. The webchat audio feature was a specific exception where the check was missing. The public fix rectifies this by threading the local media root configuration into the webchat audio path. It then calls the `assertLocalMediaAllowed` function before any file is read from the local disk [3]. This ensures all local file access requests are properly validated.
The Agentic Threat Surface
This incident is a clear example of the expanding threat surface introduced by agentic AI systems. Traditional security models often assume that data processed by server-side code has been validated. However, AI agents introduce a new, untrusted input source: the model's own output. This output is not just data; it can be interpreted as commands, file paths, or code.
The OpenClaw vulnerability illustrates a classic "confused deputy" problem. The webchat component is a "deputy" with the authority to read files from the local system to embed media. It was "confused" by a malicious input from the AI agent, causing it to misuse its authority to access files outside its designated scope. This highlights a fundamental challenge in agentic security.
Defending against these threats requires a new mindset. Developers and security teams can no longer implicitly trust the output of an AI model or its associated tools. Every piece of data generated by an agent that will be consumed by another system component must be treated as potentially hostile. Strong input validation and boundary checks are essential at every interface between the AI and the host environment.
Scope and Impact
While the vulnerability is rated as high severity, its impact has specific limitations. An attacker could not gain arbitrary code execution or a fully interactive shell. The exploit was limited to reading files that the OpenClaw gateway process had permission to access. This prevents access to privileged files owned by the root user, for example.
The vulnerability also had other constraints. The target file needed to have an audio-like file extension and fit within the webchat's size cap for audio files. These factors narrow the scope of a potential attack, but sensitive information in configuration files, logs, or user data could still be exposed if they met these criteria [2].
Detection and Mitigation
The primary mitigation is to upgrade the `openclaw` package to a patched version, `2026.4.15` or newer. The latest public release, `2026.4.21`, also contains the fix. For teams unable to upgrade immediately, a temporary workaround is to avoid exposing webchat sessions to any untrusted content that could influence reply media URLs [1].
For detection, security teams should implement monitoring for anomalous payloads. Specifically, logging and alerting on `ReplyPayload.mediaUrl` values that contain `file:` schemes or absolute file system paths can help identify attempted exploitation. This type of application-level monitoring is critical for catching attacks that abuse the intended functionality of a system. The patch also introduces a `trustedLocalMedia` gate, adding another layer of defense for future development.
References
- GitHub Security Advisory (GHSA-gfg9-5357-hv4c). https://github.com/advisories/GHSA-gfg9-5357-hv4c (accessed 2026-05-02).
- Vendor security advisory (github.com). https://github.com/openclaw/openclaw/security/advisories/GHSA-gfg9-5357-hv4c (accessed 2026-05-02).
- Patch commit / PR (github.com). https://github.com/openclaw/openclaw/commit/6e58f1f9f54bca1fea1268ec0ee4c01a2af03dde (accessed 2026-05-02).
About Helixar Research Labs
Helixar is an AI-native software R&D lab focused on agentic governance, compliance, and security for enterprises and enterprise agents.
Helixar Research Labs publishes briefings on the agentic and AI threat surface, including autonomous agents, LLM tooling, MCP servers, model supply chains, and prompt injection. The goal is to surface the gap between traditional defenses and agentic attacks before it shows up in your incidents.
If you run agents in production, this is for you. Learn more at helixar.ai.