CVE-2026-33581
Sandbox Bypass in OpenClaw Message Tool Allows Arbitrary File Access
Publication date: 2026-03-31
Last updated on: 2026-04-01
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.24 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33581 is a sandbox bypass vulnerability in OpenClaw versions before 2026.3.24. It occurs in the message tool where the parameters "mediaUrl" and "fileUrl" are used as aliases but do not undergo the same sandbox localRoots validation as the canonical media path.
This flaw allows attackers to bypass filesystem isolation by exploiting these alias parameters, enabling them to read arbitrary local files outside the intended sandbox directory.
The vulnerability was fixed in version 2026.3.24 and later.
How can this vulnerability impact me? :
This vulnerability allows remote attackers with low privileges to read arbitrary local files on the affected system by bypassing sandbox restrictions.
An attacker can exploit this flaw remotely without any user interaction, potentially exposing sensitive or confidential information stored in files outside the sandbox.
The impact is primarily on confidentiality, as attackers can access files they should not be able to read, but it does not affect integrity or availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the exploitation of the mediaUrl and fileUrl alias parameters to bypass sandbox localRoots validation and read arbitrary local files.
Detection on your network or system would involve monitoring or inspecting requests that use these parameters in the message tool, looking for attempts to access files outside the intended sandbox directory.
Since the vulnerability is related to specific parameters in requests, you can detect suspicious activity by searching logs or network traffic for usage of mediaUrl or fileUrl parameters with unusual or path traversal values.
However, no specific detection commands or tools are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade OpenClaw to version 2026.3.24 or later, as the vulnerability was fixed in that release.
The fix closes the sandbox media root bypass for the mediaUrl and fileUrl alias parameters, preventing attackers from reading arbitrary local files.
If upgrading immediately is not possible, consider restricting or monitoring the use of mediaUrl and fileUrl parameters in your environment to prevent exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attackers to read arbitrary local files by bypassing sandbox restrictions, potentially exposing sensitive or confidential information stored on the affected system.
Such unauthorized access to local files could lead to violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls on access to personal and sensitive data.
Therefore, exploitation of this vulnerability may result in non-compliance with these regulations due to the risk of data breaches and unauthorized data disclosure.