Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.8
OpenClaw: Malicious Code May Access Unauthorized Files in Sandbox
GHSA-h9xm-j4qg-fvpg
Summary
OpenClaw's experimental patch tool can write to unauthorized files in a sandbox setup. This is only a concern if you have sandbox mode enabled, the experimental tool is on, and specific security settings are configured. To stay safe, make sure to keep your OpenClaw version up to date and follow the recommended configuration settings.
What to do
- Update openclaw to version 2026.2.23.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.23 | 2026.2.23 |
Original title
OpenClaw: Experimental apply_patch may bypass workspace-only checks in opt-in sandbox mounts (off by default)
Original description
### Summary
In some opt-in sandbox configurations, the **experimental** `apply_patch` tool did not consistently apply workspace-only checks to mounted paths (for example `/agent/...`).
### Impact
This does **not** affect default installs.
Default posture:
- `agents.defaults.sandbox.mode=off` (sandbox disabled by default)
- `tools.exec.applyPatch.enabled=false` (experimental tool disabled by default)
This behavior applies only when all of the following are enabled/configured:
- sandbox mode,
- experimental `apply_patch`,
- workspace-only expectations (`tools.fs.workspaceOnly=true` and/or `tools.exec.applyPatch.workspaceOnly=true`),
- and writable mounts outside workspace.
Under that opt-in setup, `apply_patch` operations could target mounted paths outside the workspace root.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected published versions: `<= 2026.2.22-2`
- Fixed in code on `main`: commit `6634030be31e1a1842967df046c2f2e47490e6bf`
- Patched release: `2026.2.23`
### Technical Details
In the sandbox path flow, `apply_patch` used `sandbox.bridge.resolvePath(...)` without applying the same workspace-root assertion used by other filesystem tools. The fix makes `apply_patch` follow the same workspace-only enforcement for sandbox-resolved paths (unless explicitly disabled with `tools.exec.applyPatch.workspaceOnly=false`).
### Fix Commit(s)
- `6634030be31e1a1842967df046c2f2e47490e6bf`
### Release Process Note
`patched_versions` is pre-set to the released version (`2026.2.23`). Patched in `2026.2.23` and published.
OpenClaw thanks @tdjackey for reporting.
In some opt-in sandbox configurations, the **experimental** `apply_patch` tool did not consistently apply workspace-only checks to mounted paths (for example `/agent/...`).
### Impact
This does **not** affect default installs.
Default posture:
- `agents.defaults.sandbox.mode=off` (sandbox disabled by default)
- `tools.exec.applyPatch.enabled=false` (experimental tool disabled by default)
This behavior applies only when all of the following are enabled/configured:
- sandbox mode,
- experimental `apply_patch`,
- workspace-only expectations (`tools.fs.workspaceOnly=true` and/or `tools.exec.applyPatch.workspaceOnly=true`),
- and writable mounts outside workspace.
Under that opt-in setup, `apply_patch` operations could target mounted paths outside the workspace root.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected published versions: `<= 2026.2.22-2`
- Fixed in code on `main`: commit `6634030be31e1a1842967df046c2f2e47490e6bf`
- Patched release: `2026.2.23`
### Technical Details
In the sandbox path flow, `apply_patch` used `sandbox.bridge.resolvePath(...)` without applying the same workspace-root assertion used by other filesystem tools. The fix makes `apply_patch` follow the same workspace-only enforcement for sandbox-resolved paths (unless explicitly disabled with `tools.exec.applyPatch.workspaceOnly=false`).
### Fix Commit(s)
- `6634030be31e1a1842967df046c2f2e47490e6bf`
### Release Process Note
`patched_versions` is pre-set to the released version (`2026.2.23`). Patched in `2026.2.23` and published.
OpenClaw thanks @tdjackey for reporting.
ghsa CVSS3.1
6.8
Vulnerability type
CWE-284
Improper Access Control
CWE-863
Incorrect Authorization
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026