Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.7
OpenClaw allows unauthorized file access when configured for sandbox mode
GHSA-27cr-4p5m-74rj
Summary
When OpenClaw is set to sandbox mode, attackers can potentially read sensitive files outside the allowed workspace. This issue has been fixed in version 2026.2.24 and later. To stay secure, update to the latest version of OpenClaw.
What to do
- Update openclaw to version 2026.2.24.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.23 | 2026.2.24 |
Original title
OpenClaw has a workspace-only sandbox guard mismatch for @-prefixed absolute paths
Original description
A workspace-only file-system guard mismatch allowed `@`-prefixed absolute paths to bypass boundary validation in some tool path checks.
### Impact
When `tools.fs.workspaceOnly=true`, certain `@`-prefixed absolute paths (for example `@/etc/passwd`) could be validated before canonicalization while runtime path handling normalized the prefix differently. In affected code paths this could permit reads outside the intended workspace boundary.
Per `SECURITY.md`, OpenClaw is primarily a personal-assistant runtime with trusted-user assumptions, and this path is gated behind non-default sandbox/tooling configuration. That reduces practical exposure, but the bypass is still a security bug and is fixed.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published at triage time: `2026.2.23`
- Affected versions: `<= 2026.2.23`
- Patched versions: `>= 2026.2.24`
### Fix Commit(s)
- `9ef0fc2ff8fa7b145d1e746d6eb030b1bf692260`
OpenClaw thanks @tdjackey for reporting.
### Impact
When `tools.fs.workspaceOnly=true`, certain `@`-prefixed absolute paths (for example `@/etc/passwd`) could be validated before canonicalization while runtime path handling normalized the prefix differently. In affected code paths this could permit reads outside the intended workspace boundary.
Per `SECURITY.md`, OpenClaw is primarily a personal-assistant runtime with trusted-user assumptions, and this path is gated behind non-default sandbox/tooling configuration. That reduces practical exposure, but the bypass is still a security bug and is fixed.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published at triage time: `2026.2.23`
- Affected versions: `<= 2026.2.23`
- Patched versions: `>= 2026.2.24`
### Fix Commit(s)
- `9ef0fc2ff8fa7b145d1e746d6eb030b1bf692260`
OpenClaw thanks @tdjackey for reporting.
ghsa CVSS4.0
5.7
Vulnerability type
CWE-22
Path Traversal
CWE-180
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026