GHSA-XMV6-R34M-62P4

Vulnerability from github – Published: 2026-03-03 22:08 – Updated: 2026-03-03 22:08
VLAI
Summary
OpenClaw: Sandbox media fallback tmp symlink alias bypass allows host file reads outside sandboxRoot
Details

Summary

A sandbox path validation bypass in openclaw allows host file reads outside sandboxRoot via the media path fallback tmp flow when the fallback tmp root is a symlink alias.

Affected Packages / Versions

  • Package: npm openclaw
  • Affected versions: <= 2026.2.24
  • Latest published npm version at triage time (February 26, 2026): 2026.2.24
  • Patched version : 2026.2.25

Details

When /tmp/openclaw is unavailable or unsafe, resolvePreferredOpenClawTmpDir() in src/infra/tmp-openclaw-dir.ts fell back to os.tmpdir()/openclaw-<uid> without verifying that fallback path was a trusted non-symlink directory.

resolveSandboxedMediaSource() (src/agents/sandbox-paths.ts) allows absolute tmp media paths under the OpenClaw tmp root using lexical containment and alias checks. If the fallback tmp root is a symlink alias (for example to /), inputs like $TMPDIR/openclaw-<uid>/etc/passwd can pass validation and resolve to host files outside sandboxRoot.

Impact

This can break sandbox media path confinement and permit unauthorized host file reads (confidentiality impact).

Reproduction (high level)

  1. Force resolver fallback (make /tmp/openclaw unavailable/invalid).
  2. Make fallback root ($TMPDIR/openclaw-<uid>) a symlink alias to /.
  3. Submit media path under fallback root (for example $TMPDIR/openclaw-<uid>/etc/passwd).
  4. Observe accepted path and read outside sandboxRoot.

Fix Commit(s)

  • 496a76c03ba85e15ea715e5a583e498ae04d36e3

Release Process Note

Patched version is pre-set to release 2026.2.25; once npm publish for 2026.2.25 is complete, this advisory can be published without further metadata edits.

OpenClaw thanks @tdjackey for reporting.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.2.24"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.25"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-03T22:08:54Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nA sandbox path validation bypass in `openclaw` allows host file reads outside `sandboxRoot` via the media path fallback tmp flow when the fallback tmp root is a symlink alias.\n\n### Affected Packages / Versions\n- Package: `npm openclaw`\n- Affected versions: `\u003c= 2026.2.24`\n- Latest published npm version at triage time (February 26, 2026): `2026.2.24`\n- Patched version : `2026.2.25`\n\n### Details\nWhen `/tmp/openclaw` is unavailable or unsafe, `resolvePreferredOpenClawTmpDir()` in `src/infra/tmp-openclaw-dir.ts` fell back to `os.tmpdir()/openclaw-\u003cuid\u003e` without verifying that fallback path was a trusted non-symlink directory.\n\n`resolveSandboxedMediaSource()` (`src/agents/sandbox-paths.ts`) allows absolute tmp media paths under the OpenClaw tmp root using lexical containment and alias checks. If the fallback tmp root is a symlink alias (for example to `/`), inputs like `$TMPDIR/openclaw-\u003cuid\u003e/etc/passwd` can pass validation and resolve to host files outside `sandboxRoot`.\n\n### Impact\nThis can break sandbox media path confinement and permit unauthorized host file reads (confidentiality impact).\n\n### Reproduction (high level)\n1. Force resolver fallback (make `/tmp/openclaw` unavailable/invalid).\n2. Make fallback root (`$TMPDIR/openclaw-\u003cuid\u003e`) a symlink alias to `/`.\n3. Submit media path under fallback root (for example `$TMPDIR/openclaw-\u003cuid\u003e/etc/passwd`).\n4. Observe accepted path and read outside `sandboxRoot`.\n\n### Fix Commit(s)\n- `496a76c03ba85e15ea715e5a583e498ae04d36e3`\n\n### Release Process Note\nPatched version is pre-set to release `2026.2.25`; once npm publish for `2026.2.25` is complete, this advisory can be published without further metadata edits.\n\nOpenClaw thanks @tdjackey for reporting.",
  "id": "GHSA-xmv6-r34m-62p4",
  "modified": "2026-03-03T22:08:54Z",
  "published": "2026-03-03T22:08:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xmv6-r34m-62p4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/496a76c03ba85e15ea715e5a583e498ae04d36e3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Sandbox media fallback tmp symlink alias bypass allows host file reads outside sandboxRoot"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…