Attack Chain

1. A malicious actor crafts or modifies an existing OpenClaw model.
2. The model includes instructions to trigger the appendLocalMediaParentRoots function within the src/media/local-roots.ts file.
3. Due to the self-whitelisting behavior, the function expands the allowed media parent directories, potentially including sensitive system directories.
4. The model leverages the expanded directory access to request the reading of arbitrary files on the host system.
5. The openclaw application processes the model’s file read request without proper validation due to the bypassed whitelisting.
6. Sensitive files, such as configuration files or credential stores, are read by the application.
7. The extracted data, including credentials, are then potentially exfiltrated by the malicious model.
8. The attacker gains unauthorized access to sensitive data or systems.

Impact

Successful exploitation of this vulnerability allows an attacker to read arbitrary files on the host system where the openclaw application is running. This can lead to the exfiltration of sensitive information, including credentials, API keys, or other confidential data. While the exact number of affected installations is unknown, any system running a vulnerable version of the openclaw package (<=2026.3.28) is susceptible. The impact is narrowed because the tool-fs root expansion requires prior configuration.

Recommendation

• Upgrade the openclaw npm package to version 2026.3.31 or later to remediate the vulnerability (reference: Affected Packages / Versions).
• Implement input validation and sanitization to prevent arbitrary file paths from being processed by the appendLocalMediaParentRoots function (reference: src/media/local-roots.ts).
• Deploy the Sigma rule to detect attempts to access sensitive files via the openclaw application (reference: Sigma rule below).
• Review and restrict the tool-fs root expansion configuration to minimize the impact of potential exploitation (reference: Current Maintainer Triage).