GHSA-jjgj-cpp9-cvpv: OpenClaw Vulnerable to Local File Exfiltration via MCP Tool Result MEDIA: Directive Injection

March 4, 2026

A malicious or compromised MCP (Model Context Protocol) tool server can exfiltrate arbitrary local files from the host system by injecting MEDIA: directives into tool result text content. OpenClaw’s tool result processing pipeline extracts file paths from MEDIA: tokens without source-level validation, passes them through a localRoots allowlist check that includes os.tmpdir() by default (covering /tmp on Linux/macOS and %TEMP% on Windows), and then reads and delivers the file contents to external messaging channels such as Discord, Slack, Telegram, and WhatsApp.

References

github.com/advisories/GHSA-jjgj-cpp9-cvpv
github.com/openclaw/openclaw
github.com/openclaw/openclaw/security/advisories/GHSA-jjgj-cpp9-cvpv
owasp.org/www-community/attacks/Path_Traversal

Code Behaviors & Features

Detect and mitigate GHSA-jjgj-cpp9-cvpv with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →