2 matches found
GHSA-JJGJ-CPP9-CVPV OpenClaw Vulnerable to Local File Exfiltration via MCP Tool Result MEDIA: Directive Injection
Summary A malicious or compromised MCP Model Context Protocol tool server can exfiltrate arbitrary local files from the host system by injecting MEDIA: directives into tool result text content. OpenClaw's tool result processing pipeline extracts file paths from MEDIA: tokens without source-level...
Directory Traversal
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Directory Traversal via the extractToolResultMediaPaths process. An attacker can access and exfiltrate sensitive files from the system's temporary directory or other allowed local roots b...