GHSA-XMV6-R34M-62P4
Vulnerability from github – Published: 2026-03-03 22:08 – Updated: 2026-03-03 22:08Summary
A sandbox path validation bypass in openclaw allows host file reads outside sandboxRoot via the media path fallback tmp flow when the fallback tmp root is a symlink alias.
Affected Packages / Versions
- Package:
npm openclaw - Affected versions:
<= 2026.2.24 - Latest published npm version at triage time (February 26, 2026):
2026.2.24 - Patched version :
2026.2.25
Details
When /tmp/openclaw is unavailable or unsafe, resolvePreferredOpenClawTmpDir() in src/infra/tmp-openclaw-dir.ts fell back to os.tmpdir()/openclaw-<uid> without verifying that fallback path was a trusted non-symlink directory.
resolveSandboxedMediaSource() (src/agents/sandbox-paths.ts) allows absolute tmp media paths under the OpenClaw tmp root using lexical containment and alias checks. If the fallback tmp root is a symlink alias (for example to /), inputs like $TMPDIR/openclaw-<uid>/etc/passwd can pass validation and resolve to host files outside sandboxRoot.
Impact
This can break sandbox media path confinement and permit unauthorized host file reads (confidentiality impact).
Reproduction (high level)
- Force resolver fallback (make
/tmp/openclawunavailable/invalid). - Make fallback root (
$TMPDIR/openclaw-<uid>) a symlink alias to/. - Submit media path under fallback root (for example
$TMPDIR/openclaw-<uid>/etc/passwd). - Observe accepted path and read outside
sandboxRoot.
Fix Commit(s)
496a76c03ba85e15ea715e5a583e498ae04d36e3
Release Process Note
Patched version is pre-set to release 2026.2.25; once npm publish for 2026.2.25 is complete, this advisory can be published without further metadata edits.
OpenClaw thanks @tdjackey for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.2.24"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.25"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T22:08:54Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nA sandbox path validation bypass in `openclaw` allows host file reads outside `sandboxRoot` via the media path fallback tmp flow when the fallback tmp root is a symlink alias.\n\n### Affected Packages / Versions\n- Package: `npm openclaw`\n- Affected versions: `\u003c= 2026.2.24`\n- Latest published npm version at triage time (February 26, 2026): `2026.2.24`\n- Patched version : `2026.2.25`\n\n### Details\nWhen `/tmp/openclaw` is unavailable or unsafe, `resolvePreferredOpenClawTmpDir()` in `src/infra/tmp-openclaw-dir.ts` fell back to `os.tmpdir()/openclaw-\u003cuid\u003e` without verifying that fallback path was a trusted non-symlink directory.\n\n`resolveSandboxedMediaSource()` (`src/agents/sandbox-paths.ts`) allows absolute tmp media paths under the OpenClaw tmp root using lexical containment and alias checks. If the fallback tmp root is a symlink alias (for example to `/`), inputs like `$TMPDIR/openclaw-\u003cuid\u003e/etc/passwd` can pass validation and resolve to host files outside `sandboxRoot`.\n\n### Impact\nThis can break sandbox media path confinement and permit unauthorized host file reads (confidentiality impact).\n\n### Reproduction (high level)\n1. Force resolver fallback (make `/tmp/openclaw` unavailable/invalid).\n2. Make fallback root (`$TMPDIR/openclaw-\u003cuid\u003e`) a symlink alias to `/`.\n3. Submit media path under fallback root (for example `$TMPDIR/openclaw-\u003cuid\u003e/etc/passwd`).\n4. Observe accepted path and read outside `sandboxRoot`.\n\n### Fix Commit(s)\n- `496a76c03ba85e15ea715e5a583e498ae04d36e3`\n\n### Release Process Note\nPatched version is pre-set to release `2026.2.25`; once npm publish for `2026.2.25` is complete, this advisory can be published without further metadata edits.\n\nOpenClaw thanks @tdjackey for reporting.",
"id": "GHSA-xmv6-r34m-62p4",
"modified": "2026-03-03T22:08:54Z",
"published": "2026-03-03T22:08:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xmv6-r34m-62p4"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/496a76c03ba85e15ea715e5a583e498ae04d36e3"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Sandbox media fallback tmp symlink alias bypass allows host file reads outside sandboxRoot"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.