{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/credential-exfiltration/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["arbitrary-file-read","credential-exfiltration","openclaw","npm"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003eopenclaw\u003c/code\u003e npm package, versions 2026.3.28 and earlier, contains a vulnerability related to media local roots self-whitelisting in the \u003ccode\u003eappendLocalMediaParentRoots\u003c/code\u003e function. This flaw enables a malicious model to initiate arbitrary file reads on the host system. While the tool-fs root expansion requires prior configuration, the vulnerability can still be exploited, resulting in a narrower impact than a default-critical scenario. The vulnerability was reported by @tdjackey and patched in version 2026.3.31. Defenders should ensure they are running version 2026.3.31 or later of the \u003ccode\u003eopenclaw\u003c/code\u003e package to mitigate the risk of arbitrary file read and potential credential exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious actor crafts or modifies an existing OpenClaw model.\u003c/li\u003e\n\u003cli\u003eThe model includes instructions to trigger the \u003ccode\u003eappendLocalMediaParentRoots\u003c/code\u003e function within the \u003ccode\u003esrc/media/local-roots.ts\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eDue to the self-whitelisting behavior, the function expands the allowed media parent directories, potentially including sensitive system directories.\u003c/li\u003e\n\u003cli\u003eThe model leverages the expanded directory access to request the reading of arbitrary files on the host system.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eopenclaw\u003c/code\u003e application processes the model\u0026rsquo;s file read request without proper validation due to the bypassed whitelisting.\u003c/li\u003e\n\u003cli\u003eSensitive files, such as configuration files or credential stores, are read by the application.\u003c/li\u003e\n\u003cli\u003eThe extracted data, including credentials, are then potentially exfiltrated by the malicious model.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive data or systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to read arbitrary files on the host system where the \u003ccode\u003eopenclaw\u003c/code\u003e application is running. This can lead to the exfiltration of sensitive information, including credentials, API keys, or other confidential data. While the exact number of affected installations is unknown, any system running a vulnerable version of the \u003ccode\u003eopenclaw\u003c/code\u003e package (\u0026lt;=2026.3.28) is susceptible. The impact is narrowed because the tool-fs root expansion requires prior configuration.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003eopenclaw\u003c/code\u003e npm package to version 2026.3.31 or later to remediate the vulnerability (reference: Affected Packages / Versions).\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization to prevent arbitrary file paths from being processed by the \u003ccode\u003eappendLocalMediaParentRoots\u003c/code\u003e function (reference: \u003ccode\u003esrc/media/local-roots.ts\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect attempts to access sensitive files via the \u003ccode\u003eopenclaw\u003c/code\u003e application (reference: Sigma rule below).\u003c/li\u003e\n\u003cli\u003eReview and restrict the tool-fs root expansion configuration to minimize the impact of potential exploitation (reference: Current Maintainer Triage).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T02:53:58Z","date_published":"2026-04-03T02:53:58Z","id":"/briefs/2026-04-openclaw-file-read/","summary":"The openclaw package is vulnerable to arbitrary file read and credential exfiltration due to media local roots self-whitelisting in `appendLocalMediaParentRoots`, allowing a model to initiate arbitrary host file reads, potentially leading to credential exfiltration.","title":"OpenClaw Arbitrary File Read and Credential Exfiltration Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-openclaw-file-read/"}],"language":"en","title":"CraftedSignal Threat Feed — Credential-Exfiltration","version":"https://jsonfeed.org/version/1.1"}