GHSA-57gh-m6rq-54cf: OpenClaw: Self-`Whitelist`ing in appendLocalMediaParentRoots Allows Arbitrary File Read & Credential Exfiltration

April 3, 2026

Media Local Roots Self-Whitelisting in appendLocalMediaParentRoots Allows Model-Initiated Arbitrary Host File Read and Credential Exfiltration

References

github.com/advisories/GHSA-57gh-m6rq-54cf
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/1ca4261d7e055d0be141ed79ebb1365d0fbc7364
github.com/openclaw/openclaw/security/advisories/GHSA-57gh-m6rq-54cf

Code Behaviors & Features

Detect and mitigate GHSA-57gh-m6rq-54cf with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →