GHSA-33HM-CQ8R-WC49

Vulnerability from github – Published: 2026-03-03 18:11 – Updated: 2026-03-20 21:12
VLAI?
Summary
Temporary path handling could write outside OpenClaw temp boundary
Details

Summary

Sandbox media local-path validation accepted absolute paths under host tmp, even when those paths were outside the active sandbox root.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Latest published version verified during triage: 2026.2.23
  • Affected versions: <= 2026.2.23
  • Patched versions (planned next release): >= 2026.2.24

Details

In affected versions, sandbox media path resolution allowed absolute host tmp paths as trusted media inputs when they were under os.tmpdir(), without requiring that the path stay within the active sandboxRoot. Because outbound attachment hydration consumed these paths as already validated, this enabled out-of-sandbox host tmp file reads and exfiltration through attachment delivery.

Impact

  • Confidentiality impact: high for deployments relying on sandboxRoot as a strict local filesystem boundary.
  • Practical impact: attacker-controlled media references could read and attach host tmp files outside the sandbox workspace boundary.

Remediation

  • Restrict sandbox tmp-path acceptance to OpenClaw-managed temp roots only.
  • Default SDK/extension temp helpers to OpenClaw-managed temp roots.
  • Add CI guardrails to prevent broad tmp-root regressions in messaging/channel code paths.

Fix Commit(s)

  • d3da67c7a9b463edc1a9b1c1f7af107a34ca32f5
  • 79a7b3d22ef92e36a4031093d80a0acb0d82f351
  • def993dbd843ff28f2b3bad5cc24603874ba9f1e

Release Process Note

The advisory is pre-set with patched version 2026.2.24 so it is ready for publication once that npm release is available.

OpenClaw thanks @tdjackey for reporting.

Publication Update (2026-02-25)

openclaw@2026.2.24 is published on npm and contains the fix commit(s) listed above. This advisory now marks >= 2026.2.24 as patched.

Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.1 (Medium)
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.2.23"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.24"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32026"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-284"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-03T18:11:16Z",
    "nvd_published_at": "2026-03-19T22:16:37Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nSandbox media local-path validation accepted absolute paths under host tmp, even when those paths were outside the active sandbox root.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published version verified during triage: `2026.2.23`\n- Affected versions: `\u003c= 2026.2.23`\n- Patched versions (planned next release): `\u003e= 2026.2.24`\n\n### Details\nIn affected versions, sandbox media path resolution allowed absolute host tmp paths as trusted media inputs when they were under `os.tmpdir()`, without requiring that the path stay within the active `sandboxRoot`.\nBecause outbound attachment hydration consumed these paths as already validated, this enabled out-of-sandbox host tmp file reads and exfiltration through attachment delivery.\n\n### Impact\n- Confidentiality impact: high for deployments relying on `sandboxRoot` as a strict local filesystem boundary.\n- Practical impact: attacker-controlled media references could read and attach host tmp files outside the sandbox workspace boundary.\n\n### Remediation\n- Restrict sandbox tmp-path acceptance to OpenClaw-managed temp roots only.\n- Default SDK/extension temp helpers to OpenClaw-managed temp roots.\n- Add CI guardrails to prevent broad tmp-root regressions in messaging/channel code paths.\n\n### Fix Commit(s)\n- `d3da67c7a9b463edc1a9b1c1f7af107a34ca32f5`\n- `79a7b3d22ef92e36a4031093d80a0acb0d82f351`\n- `def993dbd843ff28f2b3bad5cc24603874ba9f1e`\n\n### Release Process Note\nThe advisory is pre-set with patched version `2026.2.24` so it is ready for publication once that npm release is available.\n\nOpenClaw thanks @tdjackey for reporting.\n\n\n### Publication Update (2026-02-25)\n`openclaw@2026.2.24` is published on npm and contains the fix commit(s) listed above. This advisory now marks `\u003e= 2026.2.24` as patched.",
  "id": "GHSA-33hm-cq8r-wc49",
  "modified": "2026-03-20T21:12:35Z",
  "published": "2026-03-03T18:11:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-33hm-cq8r-wc49"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32026"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/79a7b3d22ef92e36a4031093d80a0acb0d82f351"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/d3da67c7a9b463edc1a9b1c1f7af107a34ca32f5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/def993dbd843ff28f2b3bad5cc24603874ba9f1e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-improper-temporary-path-validation-in-sandbox"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Temporary path handling could write outside OpenClaw temp boundary"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.