CVE-2026-35668
Received Received - Intake
Path Traversal in OpenClaw Sandbox Allows Arbitrary File Access

Publication date: 2026-04-10

Last updated on: 2026-04-13

Assigner: VulnCheck

Description
OpenClaw before 2026.3.24 contains a path traversal vulnerability in sandbox enforcement allowing sandboxed agents to read arbitrary files from other agents' workspaces via unnormalized mediaUrl or fileUrl parameter keys. Attackers can exploit incomplete parameter validation in normalizeSandboxMediaParams and missing mediaLocalRoots context to access sensitive files including API keys and configuration data outside designated sandbox roots.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35668
EUVD
EUVD-2026-21482
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.3.24 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability allows an attacker with low privileges and no user interaction to bypass sandbox restrictions and read sensitive files from other agents' workspaces. This includes access to confidential information such as API keys, session data, logs, and configuration files.

The breach of sandbox isolation compromises a critical security boundary in OpenClaw, potentially leading to unauthorized data exposure and further exploitation within the affected environment.

Executive Summary

CVE-2026-35668 is a high-severity path traversal vulnerability in OpenClaw versions before 2026.3.24. It occurs because the software does not properly validate certain parameter keys, specifically 'mediaUrl' and 'fileUrl', which are used by various channel extensions for media attachments. These keys bypass the sandbox's path normalization and validation, allowing a sandboxed agent to read arbitrary files from other agents' workspaces.

The vulnerability arises from two main issues: incomplete parameter key validation in the function 'normalizeSandboxMediaParams', which only allows a limited set of keys and excludes 'mediaUrl' and 'fileUrl'; and the omission of the 'mediaLocalRoots' context when dispatching actions to plugins, causing plugins to default to a broad directory access that includes all agents' workspaces.

An attacker can exploit this by sending crafted requests with unnormalized 'mediaUrl' or 'fileUrl' parameters to access sensitive files such as API keys and configuration data outside the intended sandbox boundaries, effectively escaping the sandbox isolation.

Compliance Impact

The vulnerability allows unauthorized access to sensitive files such as API keys and configuration data by bypassing sandbox restrictions. This unauthorized access to sensitive information can lead to violations of data protection standards and regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive data.

By breaking the multi-agent sandbox isolation, the vulnerability undermines critical security boundaries designed to protect sensitive data, potentially resulting in non-compliance with confidentiality and data protection requirements mandated by these regulations.

Detection Guidance

Detection of CVE-2026-35668 involves identifying attempts to exploit the path traversal vulnerability via unnormalized mediaUrl or fileUrl parameters in OpenClaw message tool calls.

Specifically, monitoring logs or network traffic for message tool calls containing the parameters `mediaUrl` or `fileUrl` with suspicious or absolute paths that attempt to access other agents' workspaces (e.g., paths including `~/.openclaw/workspace/agent-b/`) can indicate exploitation attempts.

Since the vulnerability arises from incomplete parameter validation and missing sandbox context, commands or scripts that scan OpenClaw logs for these parameter keys or unusual file access patterns can help detect exploitation.

No specific detection commands are provided in the resources, but general approaches include:

  • Using grep or similar tools to search OpenClaw logs for `mediaUrl` or `fileUrl` parameters with path traversal patterns.
  • Monitoring file access logs for unauthorized reads outside sandbox directories.
  • Network traffic inspection for suspicious message tool calls containing these parameters.
Mitigation Strategies

The primary mitigation step is to upgrade OpenClaw to version 2026.3.24 or later, where the vulnerability has been fixed.

This update includes proper validation of the `mediaUrl` and `fileUrl` parameters and correct propagation of the `mediaLocalRoots` context to enforce sandbox restrictions.

Until the update can be applied, consider restricting or monitoring usage of message tool calls with `mediaUrl` and `fileUrl` parameters to prevent exploitation.

Additionally, review sandbox configurations and access controls to limit potential damage from unauthorized file reads.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35668. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart