Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.9
OpenClaw fails to secure image loading in sandboxed mode
GHSA-9f72-qcpw-2hxc
Summary
When using OpenClaw in sandbox mode, image loading may reveal sensitive information from outside the workspace if a specific security setting is enabled. This could potentially expose sensitive data. Update to the latest version of OpenClaw to ensure secure image loading in sandboxed mode.
What to do
- Update openclaw to version 2026.2.24.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.23 | 2026.2.24 |
Original title
OpenClaw: Native prompt image auto-load did not honor tools.fs.workspaceOnly in sandboxed runs
Original description
### Summary
In sandboxed runs, native prompt image auto-load did not honor `tools.fs.workspaceOnly=true`.
This optional hardening setting is **not enabled by default**. When operators enabled it, prompt text could still reference mounted out-of-workspace image paths (for example `/agent/secret.png`) and load those image bytes for vision-capable model input.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version at triage time: `2026.2.23`
- Vulnerable version range: `<= 2026.2.23`
- Patched version (planned next release): `2026.2.24`
### Conditions Required
This issue required all of the following:
- sandbox mode enabled,
- `tools.fs.workspaceOnly=true` configured,
- an out-of-workspace mount path reachable from the sandbox (for example `/agent`),
- vision-capable model path active for native prompt image loading.
### Technical Details
Native prompt image ingestion (`detectAndLoadPromptImages` / `loadImageFromRef`) resolved and read sandbox paths but did not apply the same workspace-root assertion used by file tools when `tools.fs.workspaceOnly` was set.
### Fix Commit(s)
- `370d115549c0dadace0902775eea0d5094aedfdc`
### Verification
- `pnpm check`
- `pnpm exec vitest run --config vitest.gateway.config.ts`
- `pnpm test:fast`
### Release Process Note
`patched_versions` is pre-set to the planned next release (`2026.2.24`) so once npm release is available, this advisory only needs publish action.
OpenClaw thanks @tdjackey for reporting.
### Publication Update (2026-02-25)
`[email protected]` is published on npm and contains the fix commit(s) listed above. This advisory now marks `>= 2026.2.24` as patched.
In sandboxed runs, native prompt image auto-load did not honor `tools.fs.workspaceOnly=true`.
This optional hardening setting is **not enabled by default**. When operators enabled it, prompt text could still reference mounted out-of-workspace image paths (for example `/agent/secret.png`) and load those image bytes for vision-capable model input.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version at triage time: `2026.2.23`
- Vulnerable version range: `<= 2026.2.23`
- Patched version (planned next release): `2026.2.24`
### Conditions Required
This issue required all of the following:
- sandbox mode enabled,
- `tools.fs.workspaceOnly=true` configured,
- an out-of-workspace mount path reachable from the sandbox (for example `/agent`),
- vision-capable model path active for native prompt image loading.
### Technical Details
Native prompt image ingestion (`detectAndLoadPromptImages` / `loadImageFromRef`) resolved and read sandbox paths but did not apply the same workspace-root assertion used by file tools when `tools.fs.workspaceOnly` was set.
### Fix Commit(s)
- `370d115549c0dadace0902775eea0d5094aedfdc`
### Verification
- `pnpm check`
- `pnpm exec vitest run --config vitest.gateway.config.ts`
- `pnpm test:fast`
### Release Process Note
`patched_versions` is pre-set to the planned next release (`2026.2.24`) so once npm release is available, this advisory only needs publish action.
OpenClaw thanks @tdjackey for reporting.
### Publication Update (2026-02-25)
`[email protected]` is published on npm and contains the fix commit(s) listed above. This advisory now marks `>= 2026.2.24` as patched.
ghsa CVSS4.0
8.9
Vulnerability type
CWE-200
Information Exposure
CWE-284
Improper Access Control
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026