Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
OpenClaw: Unrestricted File Access via Malicious Message Actions
GHSA-fqcm-97m6-w7rm
Summary
A security flaw in OpenClaw allows unauthorized access to files on your computer if a malicious message is received. This is fixed in version 2026.2.24, which is now available. Upgrade to this version to protect your system.
What to do
- Update openclaw to version 2026.2.24.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.23 | 2026.2.24 |
Original title
OpenClaw: Message action attachment hydration bypasses local media root checks when sandboxRoot is unset
Original description
## Impact
`sendAttachment` and `setGroupIcon` message actions could hydrate media from local absolute paths when `sandboxRoot` was unset, bypassing intended local media root checks. This could allow reads of arbitrary host files reachable by the runtime user when an authorized message-action path was triggered.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version at triage: `2026.2.23`
- Vulnerable: `<= 2026.2.23`
- Patched in code: `>= 2026.2.24` (planned next release)
## Remediation
Upgrade to `openclaw` `2026.2.24` or later once published.
## Fix Commit(s)
- 270ab03e379f9653e15f7033c9830399b66b7e51
## Release Process Note
`patched_versions` is pre-set to the planned next release (`>= 2026.2.24`). Once that npm release is published, this advisory can be published without further field edits.
OpenClaw thanks @GCXWLP for reporting.
### Publication Update (2026-02-25)
`[email protected]` is published on npm and contains the fix commit(s) listed above. This advisory now marks `>= 2026.2.24` as patched.
`sendAttachment` and `setGroupIcon` message actions could hydrate media from local absolute paths when `sandboxRoot` was unset, bypassing intended local media root checks. This could allow reads of arbitrary host files reachable by the runtime user when an authorized message-action path was triggered.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version at triage: `2026.2.23`
- Vulnerable: `<= 2026.2.23`
- Patched in code: `>= 2026.2.24` (planned next release)
## Remediation
Upgrade to `openclaw` `2026.2.24` or later once published.
## Fix Commit(s)
- 270ab03e379f9653e15f7033c9830399b66b7e51
## Release Process Note
`patched_versions` is pre-set to the planned next release (`>= 2026.2.24`). Once that npm release is published, this advisory can be published without further field edits.
OpenClaw thanks @GCXWLP for reporting.
### Publication Update (2026-02-25)
`[email protected]` is published on npm and contains the fix commit(s) listed above. This advisory now marks `>= 2026.2.24` as patched.
ghsa CVSS4.0
8.7
Vulnerability type
CWE-22
Path Traversal
CWE-200
Information Exposure
Published: 2 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026