Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.1
OpenClaw allows attackers to read outside sandbox boundary
GHSA-33hm-cq8r-wc49
Summary
OpenClaw versions 2026.2.23 and earlier can read sensitive files from outside its sandboxed area. This is a security risk for companies that rely on OpenClaw as a secure environment. To fix this, update to OpenClaw version 2026.2.24 or later, and ensure that temporary paths are only accepted from trusted locations within the sandboxed area.
What to do
- Update openclaw to version 2026.2.24.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.23 | 2026.2.24 |
Original title
Temporary path handling could write outside OpenClaw temp boundary
Original description
### Summary
Sandbox media local-path validation accepted absolute paths under host tmp, even when those paths were outside the active sandbox root.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published version verified during triage: `2026.2.23`
- Affected versions: `<= 2026.2.23`
- Patched versions (planned next release): `>= 2026.2.24`
### Details
In affected versions, sandbox media path resolution allowed absolute host tmp paths as trusted media inputs when they were under `os.tmpdir()`, without requiring that the path stay within the active `sandboxRoot`.
Because outbound attachment hydration consumed these paths as already validated, this enabled out-of-sandbox host tmp file reads and exfiltration through attachment delivery.
### Impact
- Confidentiality impact: high for deployments relying on `sandboxRoot` as a strict local filesystem boundary.
- Practical impact: attacker-controlled media references could read and attach host tmp files outside the sandbox workspace boundary.
### Remediation
- Restrict sandbox tmp-path acceptance to OpenClaw-managed temp roots only.
- Default SDK/extension temp helpers to OpenClaw-managed temp roots.
- Add CI guardrails to prevent broad tmp-root regressions in messaging/channel code paths.
### Fix Commit(s)
- `d3da67c7a9b463edc1a9b1c1f7af107a34ca32f5`
- `79a7b3d22ef92e36a4031093d80a0acb0d82f351`
- `def993dbd843ff28f2b3bad5cc24603874ba9f1e`
### Release Process Note
The advisory is pre-set with patched version `2026.2.24` so it is ready for publication once that npm release is available.
OpenClaw thanks @tdjackey for reporting.
### Publication Update (2026-02-25)
`[email protected]` is published on npm and contains the fix commit(s) listed above. This advisory now marks `>= 2026.2.24` as patched.
Sandbox media local-path validation accepted absolute paths under host tmp, even when those paths were outside the active sandbox root.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published version verified during triage: `2026.2.23`
- Affected versions: `<= 2026.2.23`
- Patched versions (planned next release): `>= 2026.2.24`
### Details
In affected versions, sandbox media path resolution allowed absolute host tmp paths as trusted media inputs when they were under `os.tmpdir()`, without requiring that the path stay within the active `sandboxRoot`.
Because outbound attachment hydration consumed these paths as already validated, this enabled out-of-sandbox host tmp file reads and exfiltration through attachment delivery.
### Impact
- Confidentiality impact: high for deployments relying on `sandboxRoot` as a strict local filesystem boundary.
- Practical impact: attacker-controlled media references could read and attach host tmp files outside the sandbox workspace boundary.
### Remediation
- Restrict sandbox tmp-path acceptance to OpenClaw-managed temp roots only.
- Default SDK/extension temp helpers to OpenClaw-managed temp roots.
- Add CI guardrails to prevent broad tmp-root regressions in messaging/channel code paths.
### Fix Commit(s)
- `d3da67c7a9b463edc1a9b1c1f7af107a34ca32f5`
- `79a7b3d22ef92e36a4031093d80a0acb0d82f351`
- `def993dbd843ff28f2b3bad5cc24603874ba9f1e`
### Release Process Note
The advisory is pre-set with patched version `2026.2.24` so it is ready for publication once that npm release is available.
OpenClaw thanks @tdjackey for reporting.
### Publication Update (2026-02-25)
`[email protected]` is published on npm and contains the fix commit(s) listed above. This advisory now marks `>= 2026.2.24` as patched.
ghsa CVSS4.0
6.1
Vulnerability type
CWE-22
Path Traversal
CWE-284
Improper Access Control
- https://github.com/openclaw/openclaw/security/advisories/GHSA-33hm-cq8r-wc49
- https://github.com/openclaw/openclaw/commit/79a7b3d22ef92e36a4031093d80a0acb0d82...
- https://github.com/openclaw/openclaw/commit/d3da67c7a9b463edc1a9b1c1f7af107a34ca...
- https://github.com/openclaw/openclaw/commit/def993dbd843ff28f2b3bad5cc24603874ba...
- https://github.com/advisories/GHSA-33hm-cq8r-wc49
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026