From dbd9b1e6bcadb729212228ca435f8536935c3d46 Mon Sep 17 00:00:00 2001
From: joshp123 <joshp123@users.noreply.github.com>
Date: Wed, 11 Feb 2026 15:00:56 -0800
Subject: [PATCH] fix(security): guard local media reads + accept all MEDIA
 path types (#5976) (thanks @buddyh)

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 035d687467..94b2b40141 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@ Docs: https://docs.openclaw.ai
 
 ### Fixes
 
+- Security: guard local media reads with allowed directory roots to prevent file exfiltration; accept all `MEDIA` path types and defer validation to load time. (#5976) Thanks @buddyh.
 - Ollama: use configured `models.providers.ollama.baseUrl` for model discovery and normalize `/v1` endpoints to the native Ollama API root. (#14131) Thanks @shtse8.
 - Slack: detect control commands when channel messages start with bot mention prefixes (for example, `@Bot /new`). (#14142) Thanks @beefiker.
 - Discord tests: use a partial @buape/carbon mock in slash command coverage. (#13262) Thanks @arosstale.