Platform
nodejs
Component
openclaw
Fixed in
2026.2.15
2026.2.14
CVE-2026-26321 describes a Local File Inclusion (LFI) vulnerability within the OpenClaw Node.js extension. This flaw allows attackers, potentially through prompt injection, to treat attacker-controlled mediaUrl values as local filesystem paths, enabling them to read sensitive files directly. The vulnerability affects versions prior to 2026.2.14, and a fix is available in version 2026.2.14 and later.
The primary impact of CVE-2026-26321 is the potential for unauthorized access to sensitive local files. An attacker who can influence tool calls, either directly or through prompt injection, can supply malicious mediaUrl values containing paths to critical system files, such as /etc/passwd or configuration files. Successful exploitation could lead to the disclosure of user credentials, system configurations, and other confidential data. The blast radius extends to any system where the vulnerable OpenClaw extension is deployed and accessible to an attacker.
CVE-2026-26321 was publicly disclosed on February 17, 2026. The vulnerability's exploitation context is currently unclear, and no public proof-of-concept (POC) exploits have been identified. Its inclusion in the Node.js ecosystem suggests a potential for broader impact, particularly in applications leveraging OpenClaw. The EPSS score is pending evaluation.
Exploit Status
EPSS
0.03% (7% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-26321 is to immediately upgrade the OpenClaw extension to version 2026.2.14 or a later patched version. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing stricter input validation on the mediaUrl parameter to prevent the inclusion of arbitrary file paths. While not a complete solution, this can reduce the attack surface. Review and harden prompt injection defenses to prevent attackers from manipulating tool calls. After upgrading, confirm the fix by attempting to trigger the vulnerable functionality with a known malicious mediaUrl (e.g., /etc/passwd) and verifying that access is denied.
Actualice OpenClaw a la versión 2026.2.14 o posterior. Esta versión corrige la vulnerabilidad de divulgación de archivos locales al restringir el acceso directo a archivos locales y utilizar helpers reforzados para la carga de medios.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-26321 is a Local File Inclusion vulnerability in the OpenClaw Node.js extension, allowing attackers to read local files via manipulated media URLs.
You are affected if you are using OpenClaw versions prior to 2026.2.14 and are vulnerable to prompt injection or have inadequate input validation.
Upgrade OpenClaw to version 2026.2.14 or later. Implement stricter input validation on the mediaUrl parameter as a temporary workaround.
Currently, there is no confirmed active exploitation of CVE-2026-26321, but the vulnerability's nature warrants immediate attention.
Refer to the official OpenClaw project documentation and security advisories for the latest information and updates regarding CVE-2026-26321.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.