Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
OpenClaw's image tool can steal sensitive outside-project data
GHSA-q6qf-4p5j-r25g
Summary
A bug in OpenClaw's image tool allowed it to access and leak sensitive files outside the project's workspace. This was fixed in version 2026.2.23. Make sure to update to the latest version to protect your project's data.
What to do
- Update openclaw to version 2026.2.23.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.23 | 2026.2.23 |
Original title
OpenClaw's image tool bypasses tools.fs.workspaceOnly on sandbox mount paths and exfiltrates out-of-workspace images
Original description
### Summary
In OpenClaw, the sandboxed `image` tool did not honor `tools.fs.workspaceOnly=true` for mounted paths resolved by the sandbox FS bridge. This allowed reading out-of-workspace mounted images (for example `/agent/*`) and forwarding those bytes to vision model providers.
### Impact
Sandbox boundary bypass with confidentiality impact. In affected versions, `read`/`write`/`edit` respected workspace-only guardrails, but `image` could still load mounted out-of-workspace files and exfiltrate them via model requests.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.2.22-2`
- Patched versions: `>= 2026.2.23` (released)
- Latest published npm at triage time: `2026.2.22-2`
### Technical Details
`workspaceOnly` was enforced in sandbox file tools and `apply_patch`, but not propagated/enforced for `image` sandbox path resolution. The fix threads `workspaceOnly` into image-tool construction and asserts sandbox-root containment before loading media bytes.
### Fix Commit(s)
- `dd9d9c1c609dcb4579f9e57bd7b5c879d0146b53`
OpenClaw thanks @tdjackey for reporting.
In OpenClaw, the sandboxed `image` tool did not honor `tools.fs.workspaceOnly=true` for mounted paths resolved by the sandbox FS bridge. This allowed reading out-of-workspace mounted images (for example `/agent/*`) and forwarding those bytes to vision model providers.
### Impact
Sandbox boundary bypass with confidentiality impact. In affected versions, `read`/`write`/`edit` respected workspace-only guardrails, but `image` could still load mounted out-of-workspace files and exfiltrate them via model requests.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.2.22-2`
- Patched versions: `>= 2026.2.23` (released)
- Latest published npm at triage time: `2026.2.22-2`
### Technical Details
`workspaceOnly` was enforced in sandbox file tools and `apply_patch`, but not propagated/enforced for `image` sandbox path resolution. The fix threads `workspaceOnly` into image-tool construction and asserts sandbox-root containment before loading media bytes.
### Fix Commit(s)
- `dd9d9c1c609dcb4579f9e57bd7b5c879d0146b53`
OpenClaw thanks @tdjackey for reporting.
ghsa CVSS3.1
5.3
Vulnerability type
CWE-200
Information Exposure
CWE-284
Improper Access Control
Published: 4 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026