CVE-2026-33581
Received Received - Intake
Sandbox Bypass in OpenClaw Message Tool Allows Arbitrary File Access

Publication date: 2026-03-31

Last updated on: 2026-04-01

Assigner: VulnCheck

Description
OpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in the message tool that allows attackers to read arbitrary local files by using mediaUrl and fileUrl alias parameters that bypass localRoots validation. Remote attackers can exploit this by routing file requests through unvalidated alias parameters to access files outside the intended sandbox directory.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33581
EUVD
EUVD-2026-17441
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.3.24 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows attackers to read arbitrary local files by bypassing sandbox restrictions, potentially exposing sensitive or confidential information stored on the affected system.

Such unauthorized access to local files could lead to violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls on access to personal and sensitive data.

Therefore, exploitation of this vulnerability may result in non-compliance with these regulations due to the risk of data breaches and unauthorized data disclosure.

Executive Summary

CVE-2026-33581 is a sandbox bypass vulnerability in OpenClaw versions before 2026.3.24. It occurs in the message tool where the parameters "mediaUrl" and "fileUrl" are used as aliases but do not undergo the same sandbox localRoots validation as the canonical media path.

This flaw allows attackers to bypass filesystem isolation by exploiting these alias parameters, enabling them to read arbitrary local files outside the intended sandbox directory.

The vulnerability was fixed in version 2026.3.24 and later.

Impact Analysis

This vulnerability allows remote attackers with low privileges to read arbitrary local files on the affected system by bypassing sandbox restrictions.

An attacker can exploit this flaw remotely without any user interaction, potentially exposing sensitive or confidential information stored in files outside the sandbox.

The impact is primarily on confidentiality, as attackers can access files they should not be able to read, but it does not affect integrity or availability.

Detection Guidance

This vulnerability involves the exploitation of the mediaUrl and fileUrl alias parameters to bypass sandbox localRoots validation and read arbitrary local files.

Detection on your network or system would involve monitoring or inspecting requests that use these parameters in the message tool, looking for attempts to access files outside the intended sandbox directory.

Since the vulnerability is related to specific parameters in requests, you can detect suspicious activity by searching logs or network traffic for usage of mediaUrl or fileUrl parameters with unusual or path traversal values.

However, no specific detection commands or tools are provided in the available resources.

Mitigation Strategies

The primary mitigation step is to upgrade OpenClaw to version 2026.3.24 or later, as the vulnerability was fixed in that release.

The fix closes the sandbox media root bypass for the mediaUrl and fileUrl alias parameters, preventing attackers from reading arbitrary local files.

If upgrading immediately is not possible, consider restricting or monitoring the use of mediaUrl and fileUrl parameters in your environment to prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33581. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart