Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
iMessage Attachment Path Validation Bypass in OpenClaw
GHSA-x9cf-3w63-rpq9
Summary
A security issue in OpenClaw allows attackers to access sensitive files on a remote host if they can manipulate iMessage attachment paths. This can happen if iMessage attachments are enabled and the remote host is configured. To fix this, update to the latest version of OpenClaw that includes path validation, or disable iMessage attachment ingestion if not needed. This vulnerability is considered medium-severity.
What to do
- Update openclaw to version 2026.2.19.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.19 | 2026.2.19 |
Original title
OpenClaw vulnerable to sensitive file disclosure via stageSandboxMedia
Original description
### Summary
When iMessage remote attachment fetching is enabled (`channels.imessage.remoteHost`), `stageSandboxMedia` accepted arbitrary absolute paths and used SCP to copy them into local staging.
If a non-attachment path reaches this flow, files outside expected iMessage attachment directories on the remote host can be staged.
### Affected Packages / Versions
- Package: `openclaw`
- Affected: up to and including `2026.2.17` (latest npm version as of February 19, 2026)
- Fixed: pending next release with remote attachment path validation
### Impact
Confidentiality impact. An attacker who can influence inbound attachment path metadata may disclose files readable by the OpenClaw process on the configured remote host.
### Attack Preconditions
1. iMessage attachments enabled (`channels.imessage.includeAttachments=true`), and
2. remote attachment mode active (`channels.imessage.remoteHost` configured or auto-detected), and
3. attacker can inject/tamper with attachment path metadata.
Given these preconditions, this advisory is assessed as **medium** severity.
## Fix Commit(s)
- `1316e5740382926e45a42097b4bfe0aef7d63e8e`
### Release Process Note
`patched_versions` should be set to the next released npm version that includes remote attachment path validation, then the advisory can be published.
### Mitigation
- Upgrade to the first release that includes remote attachment path validation.
- If remote attachments are not required, disable iMessage attachment ingestion.
- Run OpenClaw under least privilege on the remote host.
OpenClaw thanks @zpbrent for reporting.
When iMessage remote attachment fetching is enabled (`channels.imessage.remoteHost`), `stageSandboxMedia` accepted arbitrary absolute paths and used SCP to copy them into local staging.
If a non-attachment path reaches this flow, files outside expected iMessage attachment directories on the remote host can be staged.
### Affected Packages / Versions
- Package: `openclaw`
- Affected: up to and including `2026.2.17` (latest npm version as of February 19, 2026)
- Fixed: pending next release with remote attachment path validation
### Impact
Confidentiality impact. An attacker who can influence inbound attachment path metadata may disclose files readable by the OpenClaw process on the configured remote host.
### Attack Preconditions
1. iMessage attachments enabled (`channels.imessage.includeAttachments=true`), and
2. remote attachment mode active (`channels.imessage.remoteHost` configured or auto-detected), and
3. attacker can inject/tamper with attachment path metadata.
Given these preconditions, this advisory is assessed as **medium** severity.
## Fix Commit(s)
- `1316e5740382926e45a42097b4bfe0aef7d63e8e`
### Release Process Note
`patched_versions` should be set to the next released npm version that includes remote attachment path validation, then the advisory can be published.
### Mitigation
- Upgrade to the first release that includes remote attachment path validation.
- If remote attachments are not required, disable iMessage attachment ingestion.
- Run OpenClaw under least privilege on the remote host.
OpenClaw thanks @zpbrent for reporting.
ghsa CVSS4.0
8.7
Vulnerability type
CWE-22
Path Traversal
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026