OpenClaw Critical Exposure: Local File Disclosure & Command Injection Vulnerabilities (CVE-2026-25475 & CVE-2026-25157)

Aegiron 9 mins0

Product Overview – OpenClaw

OpenClaw is an open-source autonomous AI assistant designed to interact with local systems, remote servers, and external tools. It supports file handling, SSH-based remote execution, and plugin/agent extensions. Due to its broad system access, weaknesses in input validation or command handling can result in serious security exposure, including data leakage and remote command execution.

CVE-2026-25475 – Arbitrary File Read Leading to Sensitive Data Exfiltration

Vulnerability Summary

An arbitrary file read vulnerability was identified in OpenClaw due to improper validation of media path inputs. The flaw allows unauthorized reading of local files, which can result in exposure of sensitive system and application data.

Affected Component

Media path parsing logic responsible for handling MEDIA: references.

Affected Versions

All OpenClaw versions prior to v2026.1.30

Fixed Version

OpenClaw v2026.1.30

Official Patch / Upgrade Link

https://github.com/openclaw/openclaw/releases/tag/v2026.1.30

Vulnerability Details

The issue was caused by insufficient validation of file paths supplied through MEDIA: identifiers. Absolute paths, home directory references, and directory traversal sequences were not adequately restricted. As a result, file paths outside the intended media directory scope were accepted and processed.

When such paths were processed, files readable by the OpenClaw process were loaded and rendered as media content. This behavior unintentionally allowed access to sensitive files such as configuration files, authentication tokens, SSH keys, and environment secrets.

How Exploitation Could Occur

Exploitation could occur when a malicious or compromised agent, plugin, or workflow generated a crafted MEDIA: reference pointing to sensitive local files. Once processed, the file contents would be exposed through the OpenClaw interface or transmitted externally through connected communication channels.

No memory corruption or privilege escalation is required. The vulnerability relies entirely on path manipulation and trust in agent output.

Impact

  • Exposure of credentials, API keys, tokens, and configuration files
  • Leakage of system information useful for lateral movement
  • Potential compliance violations due to data disclosure
  • Increased risk of follow-on attacks

Exploitability and PoC Status

Proof-of-concept demonstrations have been observed in educational and research contexts. These demonstrations focus on path traversal and unintended file access. No automated exploit tooling is required, making exploitation feasible with minimal effort.

All proof-of-concept activity should be treated as educational only and tested exclusively in isolated environments.

MITRE ATT&CK Mapping

  • T1005 – Data from Local System
  • T1083 – File and Directory Discovery
  • T1041 – Exfiltration Over Command and Control Channel

Detection and Monitoring Guidance

Recommended Log Sources

  • OpenClaw application and agent logs
  • Operating system file access audit logs
  • Chat or message logs where agent output is displayed
  • Network egress and proxy logs

Detection Queries

Application Log Search

MEDIA:/ 
MEDIA:../
MEDIA:~/

Linux Auditd Query

type=SYSCALL AND exe=*openclaw* AND (path=/etc/* OR path=/home/*/.ssh/*)

Elastic / OpenSearch Query

message:"MEDIA:" AND (message:"../" OR message:"~/" OR message:"/etc/")

Network Monitoring

Outbound data spike following MEDIA reference processing

Mitigation and Hardening Recommendations

  • Upgrade immediately to OpenClaw v2026.1.30
  • Restrict filesystem permissions for the OpenClaw runtime user
  • Disable or review untrusted plugins and agents
  • Enforce allow-listed directories for all media handling
  • Monitor for abnormal file access patterns

CVE-2026-25157 – OS Command Injection via Unescaped Project Path

Vulnerability Summary

An OS command injection vulnerability was discovered in OpenClaw’s SSH execution logic. Improper escaping of project path input allowed arbitrary shell commands to be executed under certain conditions.

Affected Component

SSH helper logic responsible for constructing shell commands using project root paths.

Affected Versions

All OpenClaw versions prior to v2026.1.29

Fixed Version

OpenClaw v2026.1.29

Official Patch / Upgrade Link

https://github.com/openclaw/openclaw/releases/tag/v2026.1.29

Vulnerability Details

The vulnerability originated from unsafe handling of project directory paths used in SSH command construction. When a directory change operation failed, the unescaped path was inserted into shell output handling logic.

If the project path contained shell metacharacters, command substitution or chaining could occur. The injected commands would then be executed in the context of the SSH session, either locally or on the remote host.

How Exploitation Could Occur

Exploitation could occur when a crafted project path was introduced into OpenClaw, either through user interaction or imported project configuration. When SSH execution was initiated, the malformed path would be interpreted by the shell rather than treated as a literal string.

This could result in arbitrary command execution on systems accessed via SSH by OpenClaw.

Impact

  • Remote code execution on SSH targets
  • Unauthorized system command execution
  • Data destruction or exfiltration
  • Potential persistence installation on remote systems

Exploitability and PoC Status

Proof-of-concept demonstrations exist for educational purposes, illustrating unsafe shell evaluation of user-controlled paths. Exploitation complexity is low when project path manipulation is possible.

All testing must be performed in controlled lab environments only.

MITRE ATT&CK Mapping

  • T1059 – Command and Scripting Interpreter
  • T1190 – Exploit Public-Facing Application
  • T1210 – Exploitation of Remote Services

Detection and Monitoring Guidance

Recommended Log Sources

  • SSH client and server logs
  • OpenClaw execution logs
  • System process execution logs
  • Command auditing frameworks

Detection Queries

SSH Server Log Search

"cd " AND (";" OR "&&" OR "|")

Linux Process Monitoring

parent_process=openclaw AND command_line=*sh*

Elastic / OpenSearch Query

process.parent.name:"openclaw" AND process.command_line:("*;*" OR "*&&*" OR "*|*")

Auditd Rule Example

-a always,exit -F arch=b64 -S execve -F exe=/usr/bin/ssh

Mitigation and Hardening Recommendations

  • Upgrade immediately to OpenClaw v2026.1.29
  • Avoid opening untrusted or externally sourced projects
  • Restrict SSH access to trusted hosts only
  • Enforce strict input sanitization and path allow-listing
  • Monitor SSH command execution patterns

Final Takeaway

Both vulnerabilities demonstrate the risk of implicit trust in agent output and user-controlled input within automation platforms. Timely patching, least-privilege execution, and continuous monitoring remain essential to maintaining a secure OpenClaw deployment.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.