DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-CFP9-W5V9-3Q4H: GHSA-CFP9-W5V9-3Q4H: Filesystem Sandbox Bypass in OpenClaw Agent Media Tools

#security #cve #cybersecurity #ghsa

GHSA-CFP9-W5V9-3Q4H: Filesystem Sandbox Bypass in OpenClaw Agent Media Tools

Vulnerability ID: GHSA-CFP9-W5V9-3Q4H
CVSS Score: 6.9
Published: 2026-03-26

The OpenClaw AI agent framework contains a filesystem sandbox bypass vulnerability in its image and pdf tools. Due to improper path resolution and initialization of allowed directories, an attacker can extract sensitive files from the host system via the agent's vision model capabilities, bypassing the tools.fs.workspaceOnly security policy.

TL;DR

OpenClaw < 2026.3.2 fails to enforce the workspaceOnly policy in its media tools. Attackers can leverage sandbox bridge mounts to read out-of-workspace files and exfiltrate data via vision model processing.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-863, CWE-200
  • Attack Vector: Network / Remote
  • CVSS 4.0: 6.9 (Medium)
  • EPSS Score: 0.00034
  • Impact: Unauthorized file read and data exfiltration
  • Exploit Status: Proof of Concept (PoC)

Affected Systems

  • OpenClaw AI Agent Framework (npm: openclaw)
  • openclaw: < 2026.3.2 (Fixed in: 2026.3.2)

Code Analysis

Commit: dd9d9c1

Enforcing workspaceOnly in sandbox path resolution via assertSandboxPath

Commit: 14baadd

Restricting localRoots in tool initialization for image and pdf tools

Exploit Details

  • Research Report: Prompt injection payload targeting the image tool to read out-of-workspace files.

Mitigation Strategies

  • Upgrade the openclaw npm package to a patched release.
  • Audit and minimize sandbox bridge mounts to strictly required directories.
  • Enforce tools.fs.workspaceOnly: true in all agent configurations.

Remediation Steps:

  1. Identify all projects utilizing the openclaw npm package.
  2. Run npm install openclaw@^2026.3.2 to update the dependency.
  3. Review the openclaw.json configuration file to verify workspaceOnly is enabled.
  4. Inspect the sandbox mount configuration and remove any unnecessary host mappings.
  5. Restart the OpenClaw agent services to apply the updated code.

References

Read the full report for GHSA-CFP9-W5V9-3Q4H on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)