Executive Summary

CVE-2026-31990 is a vulnerability in OpenClaw versions prior to 2026.3.2 that affects the stageSandboxMedia function. The issue arises because the function does not properly validate destination symbolic links during media staging. This allows attackers to place symlinks inside the media/inbound directory that point outside the sandbox workspace, enabling writes to arbitrary files on the host system beyond the sandbox boundaries.

The root cause is that while source paths were validated, the destination files were written using direct copy operations without enforcing checks to prevent symlink traversal. This flaw allows attackers to escape the sandbox by overwriting files outside the intended workspace.

The vulnerability is classified under CWE-59 (Improper Link Resolution Before File Access) and was fixed in OpenClaw version 2026.3.2 by implementing root-scoped safe write operations that block symlink escapes.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with local access and low privileges to overwrite arbitrary files on the host system outside the sandbox workspace by exploiting symlink traversal during media staging.

The impact includes high integrity damage because attackers can modify files they should not have access to, potentially leading to unauthorized code execution, data corruption, or system instability.

The CVSS v4.0 score of 6.9 reflects a moderate severity with a local attack vector, low attack complexity, and no required user interaction, emphasizing the risk of unauthorized file modification.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves symlink traversal in the media/inbound directory of OpenClaw prior to version 2026.3.2, allowing writes outside the sandbox workspace. To detect it, you can check for the presence of symbolic links within the media/inbound directory that point outside the intended sandbox workspace.

Suggested commands to detect suspicious symlinks include:

• Find all symlinks in the media/inbound directory: `find /path/to/openclaw/media/inbound -type l -ls`
• Check where each symlink points to and verify if it points outside the sandbox workspace root. For example, use `readlink` on each symlink: `readlink /path/to/openclaw/media/inbound/<symlink>`
• Compare the resolved symlink target paths to the sandbox root directory to identify any that escape the sandbox boundaries.

Monitoring file writes or unexpected modifications outside the sandbox workspace, especially triggered by media staging operations, can also help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade OpenClaw to version 2026.3.2 or later, where the vulnerability has been fixed by enforcing strict root-boundary checks and safe file write operations during media staging.

Until the upgrade can be applied, immediate steps include:

• Prevent untrusted users from creating or placing symbolic links in the media/inbound directory.
• Restrict write permissions on the media/inbound directory to trusted users only.
• Manually audit and remove any existing symlinks in the media/inbound directory that point outside the sandbox workspace.
• Monitor file system activity for unexpected writes outside the sandbox workspace during media staging operations.

Useful 0 Not Useful 0