DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-HR5V-J9H9-XJHG: GHSA-HR5V-J9H9-XJHG: Sandbox Bypass and Arbitrary File Exfiltration in OpenClaw

#security #cve #cybersecurity #ghsa

GHSA-HR5V-J9H9-XJHG: Sandbox Bypass and Arbitrary File Exfiltration in OpenClaw

Vulnerability ID: GHSA-HR5V-J9H9-XJHG
CVSS Score: 7.7
Published: 2026-03-30

OpenClaw prior to version 2026.3.24 contains a high-severity path traversal vulnerability (CWE-22) within its outbound media handling logic. By leveraging unnormalized parameter aliases, sandboxed agents can bypass filesystem isolation to read and exfiltrate arbitrary files from the host system.

TL;DR

Unvalidated parameter keys in OpenClaw's outbound message dispatchers permit path traversal. Sandboxed agents can exploit this to read and exfiltrate arbitrary host files via unmonitored media aliases. Immediate upgrade to version 2026.3.24 is required.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-22
  • Attack Vector: Network
  • Authentication: None (or unprivileged user)
  • Impact: High (Arbitrary File Read)
  • Exploit Status: Proof of Concept available
  • CVSS v3.1 Base Score: 7.7

Affected Systems

  • OpenClaw AI agent platform
  • openclaw npm package
  • openclaw: < 2026.3.24 (Fixed in: 2026.3.24)

Mitigation Strategies

  • Upgrade OpenClaw package to version 2026.3.24 or later.
  • Disable the message-tool in agent configuration profiles if patching is delayed.
  • Enforce least privilege by running the OpenClaw service as a non-root user.
  • Deploy OpenClaw in containers with read-only root filesystems.
  • Utilize AppArmor or SELinux profiles to strictly limit application filesystem access.

Remediation Steps:

  1. Identify all deployments and container images utilizing the openclaw npm package.
  2. Update the package.json dependency for openclaw to >= 2026.3.24.
  3. Rebuild deployment artifacts and redeploy the OpenClaw services.
  4. Verify the patch by attempting to transmit a host file using the mediaUrl parameter via a sandboxed agent; expect an access denial error.

References

Read the full report for GHSA-HR5V-J9H9-XJHG on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)