cvedb.io
CVE-2026-44996
LOW · CVSS 3.7
EPSS exploitation probability: 0%
Published 2026-05-11T18:16:39.530 · Last modified 2026-06-17T10:51:34.563

Summary

OpenClaw before 2026.4.15 contains an arbitrary local file read vulnerability in the webchat audio embedding helper that fails to apply local media root containment checks. Attackers can influence agent or tool-produced ReplyPayload.mediaUrl parameters to resolve absolute local paths or file URLs, read audio-like files, and embed them base64-encoded into webchat responses.

Affected products

openclaw — openclaw

Does this affect you?

Add your gear to cvedb and we'll alert you only when openclaw ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.