Описание
OpenClaw Vulnerable to Local File Inclusion via MEDIA: Path Extraction
Summary
The isValidMedia() function in src/media/parse.ts allows arbitrary file paths including absolute paths, home directory paths, and directory traversal sequences. An agent can read any file on the system by outputting MEDIA:/path/to/file, exfiltrating sensitive data to the user/channel.
Details
Location: src/media/parse.ts:17-27
The path validation accepts dangerous patterns:
No validation ensures the path is within a safe directory or is actually a media file.
PoC
Agent outputs any of:
The file contents are rendered/sent to the requesting user or channel.
Impact
- Read ANY file accessible to the agent user
- Exfiltrate SSH keys (
~/.ssh/id_rsa) - Steal cloud credentials (
~/.aws/credentials) - Access API keys (
.env,config.json) - Read system files (
/etc/passwd,/etc/shadow)
Note: PR #4930 contains a fix but is NOT MERGED - production is vulnerable.
Пакеты
openclaw
<= 2026.1.29
2026.1.30
Связанные уязвимости
OpenClaw is a personal AI assistant. Prior to version 2026.1.30, the isValidMedia() function in src/media/parse.ts allows arbitrary file paths including absolute paths, home directory paths, and directory traversal sequences. An agent can read any file on the system by outputting MEDIA:/path/to/file, exfiltrating sensitive data to the user/channel. This issue has been patched in version 2026.1.30.