GHSA-27CR-4P5M-74RJ

Vulnerability from github – Published: 2026-03-03 22:11 – Updated: 2026-03-25 18:46
VLAI?
Summary
OpenClaw has a workspace-only sandbox guard mismatch for @-prefixed absolute paths
Details

A workspace-only file-system guard mismatch allowed @-prefixed absolute paths to bypass boundary validation in some tool path checks.

Impact

When tools.fs.workspaceOnly=true, certain @-prefixed absolute paths (for example @/etc/passwd) could be validated before canonicalization while runtime path handling normalized the prefix differently. In affected code paths this could permit reads outside the intended workspace boundary.

Per SECURITY.md, OpenClaw is primarily a personal-assistant runtime with trusted-user assumptions, and this path is gated behind non-default sandbox/tooling configuration. That reduces practical exposure, but the bypass is still a security bug and is fixed.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Latest published at triage time: 2026.2.23
  • Affected versions: <= 2026.2.23
  • Patched versions: >= 2026.2.24

Fix Commit(s)

  • 9ef0fc2ff8fa7b145d1e746d6eb030b1bf692260

OpenClaw thanks @tdjackey for reporting.

Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
5.7 (Medium)
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.2.23"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.24"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32033"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-180",
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-03T22:11:54Z",
    "nvd_published_at": "2026-03-19T22:16:38Z",
    "severity": "MODERATE"
  },
  "details": "A workspace-only file-system guard mismatch allowed `@`-prefixed absolute paths to bypass boundary validation in some tool path checks.\n\n### Impact\nWhen `tools.fs.workspaceOnly=true`, certain `@`-prefixed absolute paths (for example `@/etc/passwd`) could be validated before canonicalization while runtime path handling normalized the prefix differently. In affected code paths this could permit reads outside the intended workspace boundary.\n\nPer `SECURITY.md`, OpenClaw is primarily a personal-assistant runtime with trusted-user assumptions, and this path is gated behind non-default sandbox/tooling configuration. That reduces practical exposure, but the bypass is still a security bug and is fixed.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published at triage time: `2026.2.23`\n- Affected versions: `\u003c= 2026.2.23`\n- Patched versions: `\u003e= 2026.2.24`\n\n### Fix Commit(s)\n- `9ef0fc2ff8fa7b145d1e746d6eb030b1bf692260`\n\nOpenClaw thanks @tdjackey for reporting.",
  "id": "GHSA-27cr-4p5m-74rj",
  "modified": "2026-03-25T18:46:17Z",
  "published": "2026-03-03T22:11:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-27cr-4p5m-74rj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32033"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/9ef0fc2ff8fa7b145d1e746d6eb030b1bf692260"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-path-traversal-via-prefixed-absolute-paths-in-workspace-boundary-validation"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw has a workspace-only sandbox guard mismatch for @-prefixed absolute paths"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.