Vulnerability-Lookup

CVE-2026-35668 (GCVE-0-2026-35668)

Vulnerability from cvelistv5 – Published: 2026-04-10 16:03 – Updated: 2026-04-10 18:27 X_Open Source

Title

OpenClaw < 2026.3.24 - Sandbox Media Root Bypass via Unnormalized mediaUrl and fileUrl Parameters

Summary

OpenClaw before 2026.3.24 contains a path traversal vulnerability in sandbox enforcement allowing sandboxed agents to read arbitrary files from other agents' workspaces via unnormalized mediaUrl or fileUrl parameter keys. Attackers can exploit incomplete parameter validation in normalizeSandboxMediaParams and missing mediaLocalRoots context to access sensitive files including API keys and configuration data outside designated sandbox roots.

Severity ?

7.1 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

7.7 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

VulnCheck

References

URL

Tags

	https://github.com/openclaw/openclaw/security/adv…	third-party-advisory
	https://www.vulncheck.com/advisories/openclaw-san…	third-party-advisory

Impacted products

	Vendor	Product	Version
	OpenClaw	OpenClaw	Affected: 0 , < 2026.3.24 (semver) Unaffected: 2026.3.24 (semver)

Date Public ?

2026-03-27 00:00

Credits

Edward-x (@YLChen-007)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-35668",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T18:26:56.766030Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T18:27:23.337Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageURL": "pkg:npm/openclaw",
          "product": "OpenClaw",
          "vendor": "OpenClaw",
          "versions": [
            {
              "lessThan": "2026.3.24",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "2026.3.24",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
                  "versionEndExcluding": "2026.3.24",
                  "vulnerable": true
                }
              ],
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Edward-x (@YLChen-007)"
        }
      ],
      "datePublic": "2026-03-27T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenClaw before 2026.3.24 contains a path traversal vulnerability in sandbox enforcement allowing sandboxed agents to read arbitrary files from other agents\u0027 workspaces via unnormalized mediaUrl or fileUrl parameter keys. Attackers can exploit incomplete parameter validation in normalizeSandboxMediaParams and missing mediaLocalRoots context to access sensitive files including API keys and configuration data outside designated sandbox roots."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-10T16:03:27.149Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "name": "GitHub Security Advisory (GHSA-hr5v-j9h9-xjhg)",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hr5v-j9h9-xjhg"
        },
        {
          "name": "VulnCheck Advisory: OpenClaw \u003c 2026.3.24 - Sandbox Media Root Bypass via Unnormalized mediaUrl and fileUrl Parameters",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/openclaw-sandbox-media-root-bypass-via-unnormalized-mediaurl-and-fileurl-parameters"
        }
      ],
      "tags": [
        "x_open-source"
      ],
      "title": "OpenClaw \u003c 2026.3.24 - Sandbox Media Root Bypass via Unnormalized mediaUrl and fileUrl Parameters",
      "x_generator": {
        "engine": "vulncheck"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2026-35668",
    "datePublished": "2026-04-10T16:03:27.149Z",
    "dateReserved": "2026-04-04T12:32:50.476Z",
    "dateUpdated": "2026-04-10T18:27:23.337Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-35668\",\"sourceIdentifier\":\"disclosure@vulncheck.com\",\"published\":\"2026-04-10T17:17:09.060\",\"lastModified\":\"2026-04-10T17:17:09.060\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenClaw before 2026.3.24 contains a path traversal vulnerability in sandbox enforcement allowing sandboxed agents to read arbitrary files from other agents\u0027 workspaces via unnormalized mediaUrl or fileUrl parameter keys. Attackers can exploit incomplete parameter validation in normalizeSandboxMediaParams and missing mediaLocalRoots context to access sensitive files including API keys and configuration data outside designated sandbox roots.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N\",\"baseScore\":7.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.1,\"impactScore\":4.0}]},\"weaknesses\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"references\":[{\"url\":\"https://github.com/openclaw/openclaw/security/advisories/GHSA-hr5v-j9h9-xjhg\",\"source\":\"disclosure@vulncheck.com\"},{\"url\":\"https://www.vulncheck.com/advisories/openclaw-sandbox-media-root-bypass-via-unnormalized-mediaurl-and-fileurl-parameters\",\"source\":\"disclosure@vulncheck.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-35668\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-10T18:26:56.766030Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-10T18:27:01.033Z\"}}], \"cna\": {\"tags\": [\"x_open-source\"], \"title\": \"OpenClaw \u003c 2026.3.24 - Sandbox Media Root Bypass via Unnormalized mediaUrl and fileUrl Parameters\", \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"Edward-x (@YLChen-007)\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 7.1, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 7.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"OpenClaw\", \"product\": \"OpenClaw\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2026.3.24\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"2026.3.24\", \"versionType\": \"semver\"}], \"packageURL\": \"pkg:npm/openclaw\", \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2026-03-27T00:00:00.000Z\", \"references\": [{\"url\": \"https://github.com/openclaw/openclaw/security/advisories/GHSA-hr5v-j9h9-xjhg\", \"name\": \"GitHub Security Advisory (GHSA-hr5v-j9h9-xjhg)\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://www.vulncheck.com/advisories/openclaw-sandbox-media-root-bypass-via-unnormalized-mediaurl-and-fileurl-parameters\", \"name\": \"VulnCheck Advisory: OpenClaw \u003c 2026.3.24 - Sandbox Media Root Bypass via Unnormalized mediaUrl and fileUrl Parameters\", \"tags\": [\"third-party-advisory\"]}], \"x_generator\": {\"engine\": \"vulncheck\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"OpenClaw before 2026.3.24 contains a path traversal vulnerability in sandbox enforcement allowing sandboxed agents to read arbitrary files from other agents\u0027 workspaces via unnormalized mediaUrl or fileUrl parameter keys. Attackers can exploit incomplete parameter validation in normalizeSandboxMediaParams and missing mediaLocalRoots context to access sensitive files including API keys and configuration data outside designated sandbox roots.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"2026.3.24\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"shortName\": \"VulnCheck\", \"dateUpdated\": \"2026-04-10T16:03:27.149Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-35668\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-10T18:27:23.337Z\", \"dateReserved\": \"2026-04-04T12:32:50.476Z\", \"assignerOrgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"datePublished\": \"2026-04-10T16:03:27.149Z\", \"assignerShortName\": \"VulnCheck\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-HR5V-J9H9-XJHG

Vulnerability from github – Published: 2026-03-30 18:31 – Updated: 2026-04-10 17:29

Summary

OpenClaw has Sandbox Media Root Bypass via Unnormalized `mediaUrl` / `fileUrl` Parameter Keys (CWE-22)

Details

Fixed in OpenClaw 2026.3.24, the current shipping release.

Advisory Details

Title: Sandbox Media Root Bypass via Unnormalized mediaUrl / fileUrl Parameter Keys (CWE-22)

Description:

Summary

A path traversal vulnerability in the agent sandbox enforcement allows a sandboxed agent to read arbitrary files from other agents' workspaces by using the mediaUrl or fileUrl parameter key in message tool calls. The normalizeSandboxMediaParams function only checks ["media", "path", "filePath"] keys, while mediaUrl and fileUrl escape normalization entirely. Combined with handlePluginAction dropping mediaLocalRoots from the dispatch context, this enables a full sandbox escape where any agent can read files outside its designated sandbox root.

Details

The vulnerability exists in two files within the messaging pipeline:

1. Incomplete parameter key coverage in normalizeSandboxMediaParams:

In src/infra/outbound/message-action-params.ts, the function iterates over a hardcoded allowlist of parameter keys to validate:

// Line 212
const mediaKeys: Array<"media" | "path" | "filePath"> = ["media", "path", "filePath"];

The mediaUrl and fileUrl parameter keys are not included in this array. These keys are actively used by multiple channel extensions (Discord, Telegram, Slack, Matrix, Twitch) for media attachment handling, but they completely bypass the sandbox path validation performed by resolveSandboxedMediaSource.

2. Dropped mediaLocalRoots in handlePluginAction:

In src/infra/outbound/message-action-runner.ts, the handlePluginAction function dispatches actions to channel plugins but omits mediaLocalRoots from the context:

// Lines 684-697
const handled = await dispatchChannelMessageAction({
    channel,
    action,
    cfg,
    params,
    accountId: accountId ?? undefined,
    requesterSenderId: input.requesterSenderId ?? undefined,
    sessionKey: input.sessionKey,
    sessionId: input.sessionId,
    agentId,
    gateway,
    toolContext: input.toolContext,
    dryRun,
    // mediaLocalRoots is MISSING here
});

Despite ChannelMessageActionContext defining mediaLocalRoots?: readonly string[] (in src/channels/plugins/types.core.ts line 478), plugins receive undefined and fall back to getDefaultMediaLocalRoots(), which permits reads of the entire ~/.openclaw/ directory tree — including all agents' workspaces.

Attack chain: 1. A sandboxed agent (Agent-A at ~/.openclaw/workspace/agent-a/) calls the message tool with { mediaUrl: "~/.openclaw/workspace/agent-b/secret.txt" } 2. normalizeSandboxMediaParams skips the mediaUrl key (not in allowlist) 3. handlePluginAction dispatches without mediaLocalRoots 4. Plugin calls loadWebMedia with default roots, which allows ~/.openclaw/workspace/** 5. Agent-B's secret file content is read and sent as a channel attachment

PoC

Prerequisites: - Docker installed - OpenClaw Docker image built (openclaw-gateway:latest)

Steps:

Start the vulnerable gateway container:

cd llm-enhance/cve-finding/Path_Traversal/CVE-2026-27522-Media_Root_Bypass-variant-exp/
docker compose up -d
sleep 5

Run the exploit:

python3 poc_exploit.py

The exploit writes a secret file to ~/.openclaw/workspace/agent-b/secret_key.txt inside the container, then invokes normalizeSandboxMediaParams with Agent-A's sandbox policy and { mediaUrl: <agent-b-secret-path> }. The mediaUrl key bypasses normalization, and loadWebMedia reads the file successfully.
Run the control experiment to confirm sandbox works for checked keys:

python3 control-sandbox_enforced.py

Log of Evidence

Exploit output:

=== CVE-2026-27522 Variant: Sandbox Media Root Bypass ===

[*] Container 'openclaw-media-bypass-test' is running
[*] Running exploit script with Bun...

[VULNERABLE] mediaUrl bypassed normalizeSandboxMediaParams!
  Agent-A sandboxRoot: /root/.openclaw/workspace/agent-a
  mediaUrl targets Agent-B: /root/.openclaw/workspace/agent-b/secret_key.txt
  args after normalization: {"mediaUrl":"/root/.openclaw/workspace/agent-b/secret_key.txt"}
[EXPLOITED] Agent-B secret file content: AGENT-B-SECRET-API-KEY-sk-12345abcdef

=== EXPLOIT SUCCESSFUL ===
Agent-A read Agent-B's secret file via mediaUrl, bypassing sandbox.

[+] RESULT: VULNERABLE — mediaUrl bypasses sandbox enforcement

Control experiment output:

=== Control Experiment: Sandbox Enforcement for 'media' Key ===

[*] Container 'openclaw-media-bypass-test' is running
[*] Running control script with Bun...

[SAFE] normalizeSandboxMediaParams blocked 'media' key as expected!
  Error: Path escapes sandbox root (/tmp/sandbox-ZKvGQX): /tmp/victim-2cuAOO/secret.txt

=== CONTROL EXPERIMENT PASSED ===
The 'media' parameter IS correctly checked by sandbox enforcement.
Only unchecked keys (mediaUrl, fileUrl) bypass the sandbox.

[+] CONTROL PASSED: 'media' key is correctly enforced by sandbox

Impact

This is a sandbox escape vulnerability. An attacker who can influence an agent's tool calls (via prompt injection, multi-agent interaction, or malicious plugin instruction) can read arbitrary files from other agents' workspaces. This includes: - API keys and secrets stored in other agents' sandboxes - Session data and conversation logs - Configuration files with sensitive credentials - Any file within the ~/.openclaw/ directory tree

This completely defeats the purpose of the multi-agent sandbox isolation feature, which is documented as a security boundary in the project's Docker and sandboxing documentation.

Affected products

Ecosystem: npm
Package name: openclaw
Affected versions: <= 2026.3.14 (current latest)
Patched versions:

Severity

Severity: High
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Weaknesses

CWE: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Occurrences

Permalink	Description
https://github.com/moltbot/moltbot/blob/main/src/infra/outbound/message-action-params.ts#L206-L227	The `normalizeSandboxMediaParams` function with incomplete `mediaKeys` allowlist — `mediaUrl` and `fileUrl` are not checked.
https://github.com/moltbot/moltbot/blob/main/src/infra/outbound/message-action-runner.ts#L684-L697	The `handlePluginAction` dispatch call that omits `mediaLocalRoots` from the context passed to `dispatchChannelMessageAction`.
https://github.com/moltbot/moltbot/blob/main/src/channels/plugins/types.core.ts#L478	The `ChannelMessageActionContext` type that defines `mediaLocalRoots` but never receives it from `handlePluginAction`.

Severity ?

7.7 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.24"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35668"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-30T18:31:02Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "\u003e Fixed in OpenClaw 2026.3.24, the current shipping release.\n\n### Advisory Details\n**Title**: Sandbox Media Root Bypass via Unnormalized `mediaUrl` / `fileUrl` Parameter Keys (CWE-22)\n\n**Description**:\n### Summary\nA path traversal vulnerability in the agent sandbox enforcement allows a sandboxed agent to read arbitrary files from other agents\u0027 workspaces by using the `mediaUrl` or `fileUrl` parameter key in message tool calls. The `normalizeSandboxMediaParams` function only checks `[\"media\", \"path\", \"filePath\"]` keys, while `mediaUrl` and `fileUrl` escape normalization entirely. Combined with `handlePluginAction` dropping `mediaLocalRoots` from the dispatch context, this enables a full sandbox escape where any agent can read files outside its designated sandbox root.\n\n### Details\nThe vulnerability exists in two files within the messaging pipeline:\n\n**1. Incomplete parameter key coverage in `normalizeSandboxMediaParams`:**\n\nIn `src/infra/outbound/message-action-params.ts`, the function iterates over a hardcoded allowlist of parameter keys to validate:\n\n```typescript\n// Line 212\nconst mediaKeys: Array\u003c\"media\" | \"path\" | \"filePath\"\u003e = [\"media\", \"path\", \"filePath\"];\n```\n\nThe `mediaUrl` and `fileUrl` parameter keys are not included in this array. These keys are actively used by multiple channel extensions (Discord, Telegram, Slack, Matrix, Twitch) for media attachment handling, but they completely bypass the sandbox path validation performed by `resolveSandboxedMediaSource`.\n\n**2. Dropped `mediaLocalRoots` in `handlePluginAction`:**\n\nIn `src/infra/outbound/message-action-runner.ts`, the `handlePluginAction` function dispatches actions to channel plugins but omits `mediaLocalRoots` from the context:\n\n```typescript\n// Lines 684-697\nconst handled = await dispatchChannelMessageAction({\n    channel,\n    action,\n    cfg,\n    params,\n    accountId: accountId ?? undefined,\n    requesterSenderId: input.requesterSenderId ?? undefined,\n    sessionKey: input.sessionKey,\n    sessionId: input.sessionId,\n    agentId,\n    gateway,\n    toolContext: input.toolContext,\n    dryRun,\n    // mediaLocalRoots is MISSING here\n});\n```\n\nDespite `ChannelMessageActionContext` defining `mediaLocalRoots?: readonly string[]` (in `src/channels/plugins/types.core.ts` line 478), plugins receive `undefined` and fall back to `getDefaultMediaLocalRoots()`, which permits reads of the entire `~/.openclaw/` directory tree \u2014 including all agents\u0027 workspaces.\n\n**Attack chain:**\n1. A sandboxed agent (Agent-A at `~/.openclaw/workspace/agent-a/`) calls the message tool with `{ mediaUrl: \"~/.openclaw/workspace/agent-b/secret.txt\" }`\n2. `normalizeSandboxMediaParams` skips the `mediaUrl` key (not in allowlist)\n3. `handlePluginAction` dispatches without `mediaLocalRoots`\n4. Plugin calls `loadWebMedia` with default roots, which allows `~/.openclaw/workspace/**`\n5. Agent-B\u0027s secret file content is read and sent as a channel attachment\n\n### PoC\n\n**Prerequisites:**\n- Docker installed\n- OpenClaw Docker image built (`openclaw-gateway:latest`)\n\n**Steps:**\n\n1. Start the vulnerable gateway container:\n\n```bash\ncd llm-enhance/cve-finding/Path_Traversal/CVE-2026-27522-Media_Root_Bypass-variant-exp/\ndocker compose up -d\nsleep 5\n```\n\n2. Run the exploit:\n\n```bash\npython3 poc_exploit.py\n```\n\n3. The exploit writes a secret file to `~/.openclaw/workspace/agent-b/secret_key.txt` inside the container, then invokes `normalizeSandboxMediaParams` with Agent-A\u0027s sandbox policy and `{ mediaUrl: \u003cagent-b-secret-path\u003e }`. The `mediaUrl` key bypasses normalization, and `loadWebMedia` reads the file successfully.\n\n4. Run the control experiment to confirm sandbox works for checked keys:\n\n```bash\npython3 control-sandbox_enforced.py\n```\n\n### Log of Evidence\n\n**Exploit output:**\n```\n=== CVE-2026-27522 Variant: Sandbox Media Root Bypass ===\n\n[*] Container \u0027openclaw-media-bypass-test\u0027 is running\n[*] Running exploit script with Bun...\n\n[VULNERABLE] mediaUrl bypassed normalizeSandboxMediaParams!\n  Agent-A sandboxRoot: /root/.openclaw/workspace/agent-a\n  mediaUrl targets Agent-B: /root/.openclaw/workspace/agent-b/secret_key.txt\n  args after normalization: {\"mediaUrl\":\"/root/.openclaw/workspace/agent-b/secret_key.txt\"}\n[EXPLOITED] Agent-B secret file content: AGENT-B-SECRET-API-KEY-sk-12345abcdef\n\n=== EXPLOIT SUCCESSFUL ===\nAgent-A read Agent-B\u0027s secret file via mediaUrl, bypassing sandbox.\n\n[+] RESULT: VULNERABLE \u2014 mediaUrl bypasses sandbox enforcement\n```\n\n**Control experiment output:**\n```\n=== Control Experiment: Sandbox Enforcement for \u0027media\u0027 Key ===\n\n[*] Container \u0027openclaw-media-bypass-test\u0027 is running\n[*] Running control script with Bun...\n\n[SAFE] normalizeSandboxMediaParams blocked \u0027media\u0027 key as expected!\n  Error: Path escapes sandbox root (/tmp/sandbox-ZKvGQX): /tmp/victim-2cuAOO/secret.txt\n\n=== CONTROL EXPERIMENT PASSED ===\nThe \u0027media\u0027 parameter IS correctly checked by sandbox enforcement.\nOnly unchecked keys (mediaUrl, fileUrl) bypass the sandbox.\n\n[+] CONTROL PASSED: \u0027media\u0027 key is correctly enforced by sandbox\n```\n\n### Impact\nThis is a **sandbox escape** vulnerability. An attacker who can influence an agent\u0027s tool calls (via prompt injection, multi-agent interaction, or malicious plugin instruction) can read arbitrary files from other agents\u0027 workspaces. This includes:\n- API keys and secrets stored in other agents\u0027 sandboxes\n- Session data and conversation logs\n- Configuration files with sensitive credentials\n- Any file within the `~/.openclaw/` directory tree\n\nThis completely defeats the purpose of the multi-agent sandbox isolation feature, which is documented as a security boundary in the project\u0027s Docker and sandboxing documentation.\n\n### Affected products\n- **Ecosystem**: npm\n- **Package name**: openclaw\n- **Affected versions**: \u003c= 2026.3.14 (current latest)\n- **Patched versions**: \u003cNone\u003e\n\n### Severity\n- **Severity**: High\n- **Vector string**: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N\n\n### Weaknesses\n- **CWE**: CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\n\n### Occurrences\n\n| Permalink | Description |\n| :--- | :--- |\n| [https://github.com/moltbot/moltbot/blob/main/src/infra/outbound/message-action-params.ts#L206-L227](https://github.com/moltbot/moltbot/blob/main/src/infra/outbound/message-action-params.ts#L206-L227) | The `normalizeSandboxMediaParams` function with incomplete `mediaKeys` allowlist \u2014 `mediaUrl` and `fileUrl` are not checked. |\n| [https://github.com/moltbot/moltbot/blob/main/src/infra/outbound/message-action-runner.ts#L684-L697](https://github.com/moltbot/moltbot/blob/main/src/infra/outbound/message-action-runner.ts#L684-L697) | The `handlePluginAction` dispatch call that omits `mediaLocalRoots` from the context passed to `dispatchChannelMessageAction`. |\n| [https://github.com/moltbot/moltbot/blob/main/src/channels/plugins/types.core.ts#L478](https://github.com/moltbot/moltbot/blob/main/src/channels/plugins/types.core.ts#L478) | The `ChannelMessageActionContext` type that defines `mediaLocalRoots` but never receives it from `handlePluginAction`. |",
  "id": "GHSA-hr5v-j9h9-xjhg",
  "modified": "2026-04-10T17:29:38Z",
  "published": "2026-03-30T18:31:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hr5v-j9h9-xjhg"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenClaw has Sandbox Media Root Bypass via Unnormalized `mediaUrl` / `fileUrl` Parameter Keys (CWE-22)"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-35668 (GCVE-0-2026-35668)

GHSA-HR5V-J9H9-XJHG

Advisory Details

Summary

Details

PoC

Log of Evidence

Impact

Affected products

Severity

Weaknesses

Occurrences

Tags

Sightings

Nomenclature