CVE-2026-43532

HIGH NVD

CVSS Score 7.7

Severity HIGH

Published May 05, 2026

Vendor unknown

Description

OpenClaw versions 2026.4.7 before 2026.4.10 fail to normalize Discord event cover image parameters in sandbox media processing. Attackers can bypass media normalization to inject host-local media references into channel action paths expecting normalized media.

References

https://github.com/openclaw/openclaw/commit/979c6f09d6fad96596feb91c905934be7e0b4f15
https://github.com/openclaw/openclaw/security/advisories/GHSA-c9h3-5p7r-mrjh
https://www.vulncheck.com/advisories/openclaw-sandbox-media-normalization-bypass-via-discord-event-cover-image