Executive Summary

This vulnerability exists in OpenClaw versions before 2026.3.2, specifically in the image tool. It is a filesystem boundary bypass issue where the tool fails to enforce the tools.fs.workspaceOnly restrictions. As a result, attackers can traverse sandbox bridge mounts outside the designated workspace, allowing them to read files that other filesystem tools would normally block.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthorized access to files outside the designated workspace by bypassing filesystem boundary restrictions. This unauthorized file access could potentially lead to exposure of sensitive or protected data.

Such exposure risks may impact compliance with data protection regulations like GDPR or HIPAA, which require strict controls on access to personal or sensitive information to prevent unauthorized disclosure.

By enabling attackers to read files that should be restricted, the vulnerability undermines the enforcement of access controls, which are critical for maintaining regulatory compliance.

The fix introduced in OpenClaw version 2026.3.2 enforces stricter file system access policies, limiting file access strictly to the workspace directory when the workspaceOnly policy is enabled, thereby mitigating the risk of unauthorized data exposure.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate the filesystem boundary bypass vulnerability in OpenClaw's image tool, you should upgrade OpenClaw to version 2026.3.2 or later, where the issue has been fixed.

The fix enforces the tools.fs.workspaceOnly policy correctly by restricting file access strictly to the workspace directory, preventing unauthorized file reads outside the workspace.

Ensure that the configuration option tools.fs.workspaceOnly is enabled to enforce workspace-only file access restrictions.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows attackers with limited privileges to bypass filesystem boundaries and access files outside the intended workspace. This unauthorized file access can lead to exposure of sensitive or confidential information that should have been protected by the workspace restrictions.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the OpenClaw image tool bypassing filesystem boundaries when the tools.fs.workspaceOnly restriction is enabled, allowing unauthorized file access outside the workspace.

Detection can focus on verifying whether the OpenClaw version in use is prior to 2026.3.2, as the vulnerability is fixed starting from that version.

To detect exploitation attempts or presence of the vulnerability on your system, you can:

• Check the OpenClaw version installed by running a command such as `openclaw --version` or inspecting the package version if installed via npm.
• Review logs for any unusual file access attempts by the image tool to directories outside the workspace, especially accesses to paths like `~/.openclaw/media` or `~/.openclaw/agents`.
• If you have access to the OpenClaw source or environment, test the enforcement of the `tools.fs.workspaceOnly` setting by attempting to load or read files outside the workspace using the image tool.

Example commands to check version and test file access might include:

• `openclaw --version` # To check the installed OpenClaw version.
• Attempt to run the image tool on a file outside the workspace directory and observe if access is allowed or denied.
• Monitor system or application logs for errors or warnings related to `assertLocalMediaAllowed()` or file access denials.

Note that no specific detection commands are provided in the available resources, but these general approaches align with the vulnerability context and fixes.

Useful 0 Not Useful 0