CVE-2026-29611

Sažetak

OpenClaw versions prior to 2026.2.14 contain a local file inclusion vulnerability in BlueBubbles extension (must be installed and enabled) media path handling that allows attackers to read arbitrary files from the local filesystem. The sendBlueBubblesMedia function fails to validate mediaPath parameters against an allowlist, enabling attackers to request sensitive files like /etc/passwd and exfiltrate them as media attachments.

Reference

https://github.com/openclaw/openclaw/commit/71f357d9498cebb0efe016b0496d5fbe807539fc
https://github.com/openclaw/openclaw/security/advisories/GHSA-rwj8-p9vq-25gv
https://www.vulncheck.com/advisories/openclaw-local-file-inclusion-via-mediapath-parameter-in-bluebubbles-media-handling

CVSS

Base:	6.2
Impact:	3.6
Exploitability:	2.5

Pristup

Vektor	Složenost	Autentikacija
LOCAL	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	NONE	NONE

CVSS vektor

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Zadnje važnije ažuriranje

05-03-2026 - 22:16

Objavljeno

05-03-2026 - 22:16