CVE-2026-35668
Path Traversal in OpenClaw Sandbox Allows Arbitrary File Access
Publication date: 2026-04-10
Last updated on: 2026-04-13
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.24 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized access to sensitive files such as API keys and configuration data by bypassing sandbox restrictions. This unauthorized access to sensitive information can lead to violations of data protection standards and regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive data.
By breaking the multi-agent sandbox isolation, the vulnerability undermines critical security boundaries designed to protect sensitive data, potentially resulting in non-compliance with confidentiality and data protection requirements mandated by these regulations.
How can this vulnerability impact me? :
This vulnerability allows an attacker with low privileges and no user interaction to bypass sandbox restrictions and read sensitive files from other agents' workspaces. This includes access to confidential information such as API keys, session data, logs, and configuration files.
The breach of sandbox isolation compromises a critical security boundary in OpenClaw, potentially leading to unauthorized data exposure and further exploitation within the affected environment.
Can you explain this vulnerability to me?
CVE-2026-35668 is a high-severity path traversal vulnerability in OpenClaw versions before 2026.3.24. It occurs because the software does not properly validate certain parameter keys, specifically 'mediaUrl' and 'fileUrl', which are used by various channel extensions for media attachments. These keys bypass the sandbox's path normalization and validation, allowing a sandboxed agent to read arbitrary files from other agents' workspaces.
The vulnerability arises from two main issues: incomplete parameter key validation in the function 'normalizeSandboxMediaParams', which only allows a limited set of keys and excludes 'mediaUrl' and 'fileUrl'; and the omission of the 'mediaLocalRoots' context when dispatching actions to plugins, causing plugins to default to a broad directory access that includes all agents' workspaces.
An attacker can exploit this by sending crafted requests with unnormalized 'mediaUrl' or 'fileUrl' parameters to access sensitive files such as API keys and configuration data outside the intended sandbox boundaries, effectively escaping the sandbox isolation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2026-35668 involves identifying attempts to exploit the path traversal vulnerability via unnormalized mediaUrl or fileUrl parameters in OpenClaw message tool calls.
Specifically, monitoring logs or network traffic for message tool calls containing the parameters `mediaUrl` or `fileUrl` with suspicious or absolute paths that attempt to access other agents' workspaces (e.g., paths including `~/.openclaw/workspace/agent-b/`) can indicate exploitation attempts.
Since the vulnerability arises from incomplete parameter validation and missing sandbox context, commands or scripts that scan OpenClaw logs for these parameter keys or unusual file access patterns can help detect exploitation.
No specific detection commands are provided in the resources, but general approaches include:
- Using grep or similar tools to search OpenClaw logs for `mediaUrl` or `fileUrl` parameters with path traversal patterns.
- Monitoring file access logs for unauthorized reads outside sandbox directories.
- Network traffic inspection for suspicious message tool calls containing these parameters.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade OpenClaw to version 2026.3.24 or later, where the vulnerability has been fixed.
This update includes proper validation of the `mediaUrl` and `fileUrl` parameters and correct propagation of the `mediaLocalRoots` context to enforce sandbox restrictions.
Until the update can be applied, consider restricting or monitoring usage of message tool calls with `mediaUrl` and `fileUrl` parameters to prevent exploitation.
Additionally, review sandbox configurations and access controls to limit potential damage from unauthorized file reads.