{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-03T17:54:46.727","vulnerabilities":[{"cve":{"id":"CVE-2026-25475","sourceIdentifier":"security-advisories@github.com","published":"2026-02-04T20:16:07.287","lastModified":"2026-02-13T14:42:29.397","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"OpenClaw is a personal AI assistant. Prior to version 2026.1.30, the isValidMedia() function in src/media/parse.ts allows arbitrary file paths including absolute paths, home directory paths, and directory traversal sequences. An agent can read any file on the system by outputting MEDIA:/path/to/file, exfiltrating sensitive data to the user/channel. This issue has been patched in version 2026.1.30."},{"lang":"es","value":"OpenClaw es un asistente de IA personal. Antes de la versión 2026.1.30, la función isValidMedia() en src/media/parse.ts permite rutas de archivo arbitrarias, incluyendo rutas absolutas, rutas de directorio de inicio y secuencias de salto de directorio. Un agente puede leer cualquier archivo en el sistema al generar MEDIA:/path/to/file, exfiltrando datos sensibles al usuario/canal. Este problema ha sido parcheado en la versión 2026.1.30."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-22"},{"lang":"en","value":"CWE-200"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*","versionEndExcluding":"2026.1.30","matchCriteriaId":"85BCA27F-CEA4-4F4E-940F-5957B8EB247F"}]}]}],"references":[{"url":"https://github.com/openclaw/openclaw/security/advisories/GHSA-r8g4-86fx-92mq","source":"security-advisories@github.com","tags":["Exploit","Patch","Vendor Advisory"]}]}}]}