3 matches found
CVE-2026-29611
OpenClaw versions prior to 2026.2.14 contain a local file inclusion vulnerability in BlueBubbles extension must be installed and enabled media path handling that allows attackers to read arbitrary files from the local filesystem. The sendBlueBubblesMedia function fails to validate mediaPath...
CVE-2026-29611
OpenClaw versions prior to 2026.2.14 contain a local file inclusion vulnerability in BlueBubbles extension must be installed and enabled media path handling that allows attackers to read arbitrary files from the local filesystem. The sendBlueBubblesMedia function fails to validate mediaPath...
GHSA-RWJ8-P9VQ-25GV OpenClaw has a LFI in BlueBubbles media path handling
Summary The BlueBubbles extension accepted attacker-controlled local filesystem paths via mediaPath and could read arbitrary local files from disk before sending them as media attachments. Details When sendBlueBubblesMedia received a non-HTTP media source, the previous implementation resolved it ...