top of page
perceptive_background_267k.jpg

OpenClaw versions 2026.4.9 before 2026.4.10 contain a sender policy bypass vulnerability in the outbound host-media attachment read helper that allows unauthori…

Published:

4 May 2026 at 22:00:00

Alert date:

5 May 2026 at 20:13:49

Source:

nvd.nist.gov

Click to open the original link from this advisory

Identity & Access, Data Breach & Exfiltration

OpenClaw versions 2026.4.9 before 2026.4.10 contain a sender policy bypass vulnerability in the outbound host-media attachment read helper. The vulnerability allows unauthorized local file disclosure where attackers with denied read access via toolsBySender or group policy can trigger host-media attachment loading. This enables bypassing sender and group-scoped authorization boundaries to retrieve readable local files through the outbound media path. The vulnerability affects file access controls and authorization mechanisms in OpenClaw installations.

Technical details

Mitigation steps:

Affected products:

OpenClaw

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-42438
https://github.com/openclaw/openclaw/commit/c949af9fabf3873b5b7c484090cb5f5ab6049a98
https://github.com/openclaw/openclaw/security/advisories/GHSA-jhpv-5j76-m56h
https://www.vulncheck.com/advisories/openclaw-sender-policy-bypass-in-host-media-attachment-reads

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page