DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-X9CF-3W63-RPQ9: GHSA-x9cf-3w63-rpq9: Path Traversal in OpenClaw stageSandboxMedia Leading to Arbitrary File Read

#security #cve #cybersecurity #ghsa

GHSA-x9cf-3w63-rpq9: Path Traversal in OpenClaw stageSandboxMedia Leading to Arbitrary File Read

Vulnerability ID: GHSA-X9CF-3W63-RPQ9
CVSS Score: 6.6
Published: 2026-03-03

OpenClaw, an AI automation tool for iMessage and other channels, contains a critical path traversal vulnerability in its media staging mechanism. The vulnerability exists within the stageSandboxMedia function, which prepares message attachments for AI processing. When configured to fetch attachments from a remote relay host via SSH/SCP, the system fails to validate the source file path provided in the message metadata. This allows an attacker to manipulate attachment metadata to point to arbitrary files on the host system (such as SSH keys or configuration files), which OpenClaw then copies into the AI's sandbox workspace. This effectively grants the AI agent—and potentially the attacker—read access to sensitive files outside the intended attachment directories.

TL;DR

OpenClaw versions prior to the Feb 19, 2026 patch allow path traversal via the stageSandboxMedia function. By spoofing attachment paths, attackers can force the system to copy arbitrary files (e.g., SSH keys) from the host into the AI sandbox, leading to sensitive information disclosure.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22 (Path Traversal)
  • CWE ID: CWE-200 (Information Exposure)
  • CVSS v3.1: 6.6 (Medium)
  • Attack Vector: Network
  • Impact: High Confidentiality Loss
  • Exploit Maturity: PoC Available

Affected Systems

  • OpenClaw AI Assistant (NPM package)
  • macOS systems running OpenClaw with iMessage relay enabled
  • openclaw: < 2026-02-19 (Commit 1316e57) (Fixed in: Commit 1316e57)

Code Analysis

Commit: 1316e57

Fix path traversal in stageSandboxMedia by implementing inbound path policy

Mitigation Strategies

  • Input Validation: Implement strict allowlisting for all file paths used in system commands.
  • Least Privilege: Run the OpenClaw process with the minimum necessary filesystem permissions.
  • Path Canonicalization: Always resolve symlinks using fs.realpath before validating paths against an allowlist.

Remediation Steps:

  1. Update the openclaw package to the latest version (post-2026-02-19).
  2. Review config/default.json or user configuration to ensure attachmentRoots are restricted to necessary directories only.
  3. Restart the OpenClaw service to apply changes.

References

Read the full report for GHSA-X9CF-3W63-RPQ9 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)