top of page
perceptive_background_267k.jpg

OpenClaw versions 2026.4.9 before 2026.4.10 contain a sender policy bypass vulnerability in the outbound host-media attachment read helper that allows unauthori…

Published:

4 May 2026 at 22:00:00

Alert date:

5 May 2026 at 13:07:56

Source:

nvd.nist.gov

Click to open the original link from this advisory

Identity & Access, Data Breach & Exfiltration

CVE-2026-42438 affects OpenClaw versions 2026.4.9 before 2026.4.10, containing a sender policy bypass vulnerability in the outbound host-media attachment read helper. This vulnerability allows unauthorized local file disclosure where attackers with denied read access via toolsBySender or group policy can trigger host-media attachment loading. The flaw enables bypassing sender and group-scoped authorization boundaries to retrieve readable local files through the outbound media path. The vulnerability has been patched in version 2026.4.10 with fixes available through GitHub commits and security advisories.

Technical details

Mitigation steps:

Affected products:

OpenClaw

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-42438
https://github.com/openclaw/openclaw/commit/c949af9fabf3873b5b7c484090cb5f5ab6049a98
https://github.com/openclaw/openclaw/security/advisories/GHSA-jhpv-5j76-m56h
https://www.vulncheck.com/advisories/openclaw-sender-policy-bypass-in-host-media-attachment-reads

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page