CVE-2026-41366

· NIST NVD ↗

OpenClaw before 2026.3.31 contains a local roots self-whitelisting vulnerability in appendLocalMediaParentRoots that allows model-initiated arbitrary host file read. Attackers can exploit improper media parent directory validation to exfiltrate credentials and access sensitive files.

MEDIUM
CVSS severity
5.5
CVSS base score
2026-04-28
Published

CWE codes

CWE-732

Affected products

openclaw:openclaw

Sources