Vulnerability Report

CVE-2026-29611

Title: OpenClaw BlueBubbles Local File Inclusion

Arbitrary File Access

Proof Of Concept

No public PoC currently indexed for CVE-2026-29611.

CWE Category CWE-73

Published Date Mar 05, 2026

Modified Date Mar 11, 2026

Exploit Status Not Found

Score 8.2 CVSS v4.0

Exploit Probability (EPSS)

0.29%

Vulnerability Summary

CVE-2026-29611: OpenClaw versions prior to 2026.2.14 contain a local file inclusion vulnerability in BlueBubbles extension (must be installed and enabled) media path handling that allows attackers to read arbitrary files from the local filesystem. The sendBlueBubblesMedia function fails to validate mediaPath parameters against an allowlist, enabling attackers to request sensitive files like /etc/passwd and exfiltrate them as media attachments.

Impacted Vendors

openclaw 1

Reference Links

https://github.com/openclaw/openclaw/commit/71f357d9498cebb0efe016b0496d5fbe807539fc https://github.com/openclaw/openclaw/security/advisories/GHSA-rwj8-p9vq-25gv https://www.vulncheck.com/advisories/openclaw-local-file-inclusion-via-mediapath-parameter-in-bluebubbles-media-handling

CVSS v4.0

Source Entity [email protected]

Severity HIGH

8.2

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

N/A

RAW VECTOR

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS v3.1