GHSA-FQCM-97M6-W7RM

Vulnerability from github – Published: 2026-03-02 23:34 – Updated: 2026-03-18 21:50
VLAI?
Summary
OpenClaw: Message action attachment hydration bypasses local media root checks when sandboxRoot is unset
Details

Impact

sendAttachment and setGroupIcon message actions could hydrate media from local absolute paths when sandboxRoot was unset, bypassing intended local media root checks. This could allow reads of arbitrary host files reachable by the runtime user when an authorized message-action path was triggered.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Latest published npm version at triage: 2026.2.23
  • Vulnerable: <= 2026.2.23
  • Patched in code: >= 2026.2.24 (planned next release)

Remediation

Upgrade to openclaw 2026.2.24 or later once published.

Fix Commit(s)

  • 270ab03e379f9653e15f7033c9830399b66b7e51

Release Process Note

patched_versions is pre-set to the planned next release (>= 2026.2.24). Once that npm release is published, this advisory can be published without further field edits.

OpenClaw thanks @GCXWLP for reporting.

Publication Update (2026-02-25)

openclaw@2026.2.24 is published on npm and contains the fix commit(s) listed above. This advisory now marks >= 2026.2.24 as patched.

Severity ?
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.2.23"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.24"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27522"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-02T23:34:02Z",
    "nvd_published_at": "2026-03-18T02:16:23Z",
    "severity": "HIGH"
  },
  "details": "## Impact\n`sendAttachment` and `setGroupIcon` message actions could hydrate media from local absolute paths when `sandboxRoot` was unset, bypassing intended local media root checks. This could allow reads of arbitrary host files reachable by the runtime user when an authorized message-action path was triggered.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version at triage: `2026.2.23`\n- Vulnerable: `\u003c= 2026.2.23`\n- Patched in code: `\u003e= 2026.2.24` (planned next release)\n\n## Remediation\nUpgrade to `openclaw` `2026.2.24` or later once published.\n\n## Fix Commit(s)\n- 270ab03e379f9653e15f7033c9830399b66b7e51\n\n## Release Process Note\n`patched_versions` is pre-set to the planned next release (`\u003e= 2026.2.24`). Once that npm release is published, this advisory can be published without further field edits.\n\nOpenClaw thanks @GCXWLP for reporting.\n\n\n### Publication Update (2026-02-25)\n`openclaw@2026.2.24` is published on npm and contains the fix commit(s) listed above. This advisory now marks `\u003e= 2026.2.24` as patched.",
  "id": "GHSA-fqcm-97m6-w7rm",
  "modified": "2026-03-18T21:50:04Z",
  "published": "2026-03-02T23:34:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fqcm-97m6-w7rm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27522"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/270ab03e379f9653e15f7033c9830399b66b7e51"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-sendattachment-and-setgroupicon-message-actions"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Message action attachment hydration bypasses local media root checks when sandboxRoot is unset"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.