Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.7
OpenClaw: Files can be overwritten outside of the sandbox workspace
GHSA-cfvj-7rx7-fc7c
Summary
OpenClaw's media staging feature allowed files to be overwritten outside the intended sandbox area. This could happen if a malicious actor created a symbolic link to a file outside the sandbox. To fix this, OpenClaw's developers have updated the software to prevent this kind of attack. If you're using OpenClaw version 2026.3.1 or earlier, update to version 2026.3.2 or later to protect your files.
What to do
- Update openclaw to version 2026.3.2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.3.1 | 2026.3.2 |
Original title
OpenClaw: stageSandboxMedia destination symlink traversal can overwrite files outside sandbox workspace
Original description
### Summary
`stageSandboxMedia` allowed destination symlink traversal during media staging, which could overwrite files outside the sandbox workspace root.
### Impact
When sandbox media staging handled inbound files, destination writes under `media/inbound` were not destination-alias-safe. If a symlink existed in that destination path, the write could follow it and overwrite host files outside the intended sandbox workspace boundary.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published version checked: `2026.3.1`
- Affected: `<= 2026.3.1`
- Patched versions: `>= 2026.3.2` (released)
### Root Cause
`stageSandboxMedia` validated source paths but wrote destination files with a direct copy path that did not enforce destination boundary/alias checks.
### Remediation
The fix routes staging writes through root-scoped safe write primitives for both local and SCP-staged attachments, preventing destination symlink traversal escapes.
### Fix Commit(s)
- `17ede52a4be3034f6ec4b883ac6b81ad0101558a`
`stageSandboxMedia` allowed destination symlink traversal during media staging, which could overwrite files outside the sandbox workspace root.
### Impact
When sandbox media staging handled inbound files, destination writes under `media/inbound` were not destination-alias-safe. If a symlink existed in that destination path, the write could follow it and overwrite host files outside the intended sandbox workspace boundary.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published version checked: `2026.3.1`
- Affected: `<= 2026.3.1`
- Patched versions: `>= 2026.3.2` (released)
### Root Cause
`stageSandboxMedia` validated source paths but wrote destination files with a direct copy path that did not enforce destination boundary/alias checks.
### Remediation
The fix routes staging writes through root-scoped safe write primitives for both local and SCP-staged attachments, preventing destination symlink traversal escapes.
### Fix Commit(s)
- `17ede52a4be3034f6ec4b883ac6b81ad0101558a`
ghsa CVSS4.0
7.7
Vulnerability type
CWE-59
Link Following
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026