GHSA-HR5V-J9H9-XJHG

Vulnerability from github – Published: 2026-03-30 18:31 – Updated: 2026-04-10 17:29
VLAI?
Summary
OpenClaw has Sandbox Media Root Bypass via Unnormalized `mediaUrl` / `fileUrl` Parameter Keys (CWE-22)
Details

Fixed in OpenClaw 2026.3.24, the current shipping release.

Advisory Details

Title: Sandbox Media Root Bypass via Unnormalized mediaUrl / fileUrl Parameter Keys (CWE-22)

Description:

Summary

A path traversal vulnerability in the agent sandbox enforcement allows a sandboxed agent to read arbitrary files from other agents' workspaces by using the mediaUrl or fileUrl parameter key in message tool calls. The normalizeSandboxMediaParams function only checks ["media", "path", "filePath"] keys, while mediaUrl and fileUrl escape normalization entirely. Combined with handlePluginAction dropping mediaLocalRoots from the dispatch context, this enables a full sandbox escape where any agent can read files outside its designated sandbox root.

Details

The vulnerability exists in two files within the messaging pipeline:

1. Incomplete parameter key coverage in normalizeSandboxMediaParams:

In src/infra/outbound/message-action-params.ts, the function iterates over a hardcoded allowlist of parameter keys to validate:

// Line 212
const mediaKeys: Array<"media" | "path" | "filePath"> = ["media", "path", "filePath"];

The mediaUrl and fileUrl parameter keys are not included in this array. These keys are actively used by multiple channel extensions (Discord, Telegram, Slack, Matrix, Twitch) for media attachment handling, but they completely bypass the sandbox path validation performed by resolveSandboxedMediaSource.

2. Dropped mediaLocalRoots in handlePluginAction:

In src/infra/outbound/message-action-runner.ts, the handlePluginAction function dispatches actions to channel plugins but omits mediaLocalRoots from the context:

// Lines 684-697
const handled = await dispatchChannelMessageAction({
    channel,
    action,
    cfg,
    params,
    accountId: accountId ?? undefined,
    requesterSenderId: input.requesterSenderId ?? undefined,
    sessionKey: input.sessionKey,
    sessionId: input.sessionId,
    agentId,
    gateway,
    toolContext: input.toolContext,
    dryRun,
    // mediaLocalRoots is MISSING here
});

Despite ChannelMessageActionContext defining mediaLocalRoots?: readonly string[] (in src/channels/plugins/types.core.ts line 478), plugins receive undefined and fall back to getDefaultMediaLocalRoots(), which permits reads of the entire ~/.openclaw/ directory tree — including all agents' workspaces.

Attack chain: 1. A sandboxed agent (Agent-A at ~/.openclaw/workspace/agent-a/) calls the message tool with { mediaUrl: "~/.openclaw/workspace/agent-b/secret.txt" } 2. normalizeSandboxMediaParams skips the mediaUrl key (not in allowlist) 3. handlePluginAction dispatches without mediaLocalRoots 4. Plugin calls loadWebMedia with default roots, which allows ~/.openclaw/workspace/** 5. Agent-B's secret file content is read and sent as a channel attachment

PoC

Prerequisites: - Docker installed - OpenClaw Docker image built (openclaw-gateway:latest)

Steps:

  1. Start the vulnerable gateway container:
cd llm-enhance/cve-finding/Path_Traversal/CVE-2026-27522-Media_Root_Bypass-variant-exp/
docker compose up -d
sleep 5
  1. Run the exploit:
python3 poc_exploit.py

  1. The exploit writes a secret file to ~/.openclaw/workspace/agent-b/secret_key.txt inside the container, then invokes normalizeSandboxMediaParams with Agent-A's sandbox policy and { mediaUrl: <agent-b-secret-path> }. The mediaUrl key bypasses normalization, and loadWebMedia reads the file successfully.

  2. Run the control experiment to confirm sandbox works for checked keys:

python3 control-sandbox_enforced.py

Log of Evidence

Exploit output:

=== CVE-2026-27522 Variant: Sandbox Media Root Bypass ===

[*] Container 'openclaw-media-bypass-test' is running
[*] Running exploit script with Bun...

[VULNERABLE] mediaUrl bypassed normalizeSandboxMediaParams!
  Agent-A sandboxRoot: /root/.openclaw/workspace/agent-a
  mediaUrl targets Agent-B: /root/.openclaw/workspace/agent-b/secret_key.txt
  args after normalization: {"mediaUrl":"/root/.openclaw/workspace/agent-b/secret_key.txt"}
[EXPLOITED] Agent-B secret file content: AGENT-B-SECRET-API-KEY-sk-12345abcdef

=== EXPLOIT SUCCESSFUL ===
Agent-A read Agent-B's secret file via mediaUrl, bypassing sandbox.

[+] RESULT: VULNERABLE — mediaUrl bypasses sandbox enforcement

Control experiment output:

=== Control Experiment: Sandbox Enforcement for 'media' Key ===

[*] Container 'openclaw-media-bypass-test' is running
[*] Running control script with Bun...

[SAFE] normalizeSandboxMediaParams blocked 'media' key as expected!
  Error: Path escapes sandbox root (/tmp/sandbox-ZKvGQX): /tmp/victim-2cuAOO/secret.txt

=== CONTROL EXPERIMENT PASSED ===
The 'media' parameter IS correctly checked by sandbox enforcement.
Only unchecked keys (mediaUrl, fileUrl) bypass the sandbox.

[+] CONTROL PASSED: 'media' key is correctly enforced by sandbox

Impact

This is a sandbox escape vulnerability. An attacker who can influence an agent's tool calls (via prompt injection, multi-agent interaction, or malicious plugin instruction) can read arbitrary files from other agents' workspaces. This includes: - API keys and secrets stored in other agents' sandboxes - Session data and conversation logs - Configuration files with sensitive credentials - Any file within the ~/.openclaw/ directory tree

This completely defeats the purpose of the multi-agent sandbox isolation feature, which is documented as a security boundary in the project's Docker and sandboxing documentation.

Affected products

  • Ecosystem: npm
  • Package name: openclaw
  • Affected versions: <= 2026.3.14 (current latest)
  • Patched versions:

Severity

  • Severity: High
  • Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Weaknesses

  • CWE: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Occurrences

Permalink Description
https://github.com/moltbot/moltbot/blob/main/src/infra/outbound/message-action-params.ts#L206-L227 The normalizeSandboxMediaParams function with incomplete mediaKeys allowlist — mediaUrl and fileUrl are not checked.
https://github.com/moltbot/moltbot/blob/main/src/infra/outbound/message-action-runner.ts#L684-L697 The handlePluginAction dispatch call that omits mediaLocalRoots from the context passed to dispatchChannelMessageAction.
https://github.com/moltbot/moltbot/blob/main/src/channels/plugins/types.core.ts#L478 The ChannelMessageActionContext type that defines mediaLocalRoots but never receives it from handlePluginAction.
Severity ?
7.7 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.24"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35668"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-30T18:31:02Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "\u003e Fixed in OpenClaw 2026.3.24, the current shipping release.\n\n### Advisory Details\n**Title**: Sandbox Media Root Bypass via Unnormalized `mediaUrl` / `fileUrl` Parameter Keys (CWE-22)\n\n**Description**:\n### Summary\nA path traversal vulnerability in the agent sandbox enforcement allows a sandboxed agent to read arbitrary files from other agents\u0027 workspaces by using the `mediaUrl` or `fileUrl` parameter key in message tool calls. The `normalizeSandboxMediaParams` function only checks `[\"media\", \"path\", \"filePath\"]` keys, while `mediaUrl` and `fileUrl` escape normalization entirely. Combined with `handlePluginAction` dropping `mediaLocalRoots` from the dispatch context, this enables a full sandbox escape where any agent can read files outside its designated sandbox root.\n\n### Details\nThe vulnerability exists in two files within the messaging pipeline:\n\n**1. Incomplete parameter key coverage in `normalizeSandboxMediaParams`:**\n\nIn `src/infra/outbound/message-action-params.ts`, the function iterates over a hardcoded allowlist of parameter keys to validate:\n\n```typescript\n// Line 212\nconst mediaKeys: Array\u003c\"media\" | \"path\" | \"filePath\"\u003e = [\"media\", \"path\", \"filePath\"];\n```\n\nThe `mediaUrl` and `fileUrl` parameter keys are not included in this array. These keys are actively used by multiple channel extensions (Discord, Telegram, Slack, Matrix, Twitch) for media attachment handling, but they completely bypass the sandbox path validation performed by `resolveSandboxedMediaSource`.\n\n**2. Dropped `mediaLocalRoots` in `handlePluginAction`:**\n\nIn `src/infra/outbound/message-action-runner.ts`, the `handlePluginAction` function dispatches actions to channel plugins but omits `mediaLocalRoots` from the context:\n\n```typescript\n// Lines 684-697\nconst handled = await dispatchChannelMessageAction({\n    channel,\n    action,\n    cfg,\n    params,\n    accountId: accountId ?? undefined,\n    requesterSenderId: input.requesterSenderId ?? undefined,\n    sessionKey: input.sessionKey,\n    sessionId: input.sessionId,\n    agentId,\n    gateway,\n    toolContext: input.toolContext,\n    dryRun,\n    // mediaLocalRoots is MISSING here\n});\n```\n\nDespite `ChannelMessageActionContext` defining `mediaLocalRoots?: readonly string[]` (in `src/channels/plugins/types.core.ts` line 478), plugins receive `undefined` and fall back to `getDefaultMediaLocalRoots()`, which permits reads of the entire `~/.openclaw/` directory tree \u2014 including all agents\u0027 workspaces.\n\n**Attack chain:**\n1. A sandboxed agent (Agent-A at `~/.openclaw/workspace/agent-a/`) calls the message tool with `{ mediaUrl: \"~/.openclaw/workspace/agent-b/secret.txt\" }`\n2. `normalizeSandboxMediaParams` skips the `mediaUrl` key (not in allowlist)\n3. `handlePluginAction` dispatches without `mediaLocalRoots`\n4. Plugin calls `loadWebMedia` with default roots, which allows `~/.openclaw/workspace/**`\n5. Agent-B\u0027s secret file content is read and sent as a channel attachment\n\n### PoC\n\n**Prerequisites:**\n- Docker installed\n- OpenClaw Docker image built (`openclaw-gateway:latest`)\n\n**Steps:**\n\n1. Start the vulnerable gateway container:\n\n```bash\ncd llm-enhance/cve-finding/Path_Traversal/CVE-2026-27522-Media_Root_Bypass-variant-exp/\ndocker compose up -d\nsleep 5\n```\n\n2. Run the exploit:\n\n```bash\npython3 poc_exploit.py\n```\n\n3. The exploit writes a secret file to `~/.openclaw/workspace/agent-b/secret_key.txt` inside the container, then invokes `normalizeSandboxMediaParams` with Agent-A\u0027s sandbox policy and `{ mediaUrl: \u003cagent-b-secret-path\u003e }`. The `mediaUrl` key bypasses normalization, and `loadWebMedia` reads the file successfully.\n\n4. Run the control experiment to confirm sandbox works for checked keys:\n\n```bash\npython3 control-sandbox_enforced.py\n```\n\n### Log of Evidence\n\n**Exploit output:**\n```\n=== CVE-2026-27522 Variant: Sandbox Media Root Bypass ===\n\n[*] Container \u0027openclaw-media-bypass-test\u0027 is running\n[*] Running exploit script with Bun...\n\n[VULNERABLE] mediaUrl bypassed normalizeSandboxMediaParams!\n  Agent-A sandboxRoot: /root/.openclaw/workspace/agent-a\n  mediaUrl targets Agent-B: /root/.openclaw/workspace/agent-b/secret_key.txt\n  args after normalization: {\"mediaUrl\":\"/root/.openclaw/workspace/agent-b/secret_key.txt\"}\n[EXPLOITED] Agent-B secret file content: AGENT-B-SECRET-API-KEY-sk-12345abcdef\n\n=== EXPLOIT SUCCESSFUL ===\nAgent-A read Agent-B\u0027s secret file via mediaUrl, bypassing sandbox.\n\n[+] RESULT: VULNERABLE \u2014 mediaUrl bypasses sandbox enforcement\n```\n\n**Control experiment output:**\n```\n=== Control Experiment: Sandbox Enforcement for \u0027media\u0027 Key ===\n\n[*] Container \u0027openclaw-media-bypass-test\u0027 is running\n[*] Running control script with Bun...\n\n[SAFE] normalizeSandboxMediaParams blocked \u0027media\u0027 key as expected!\n  Error: Path escapes sandbox root (/tmp/sandbox-ZKvGQX): /tmp/victim-2cuAOO/secret.txt\n\n=== CONTROL EXPERIMENT PASSED ===\nThe \u0027media\u0027 parameter IS correctly checked by sandbox enforcement.\nOnly unchecked keys (mediaUrl, fileUrl) bypass the sandbox.\n\n[+] CONTROL PASSED: \u0027media\u0027 key is correctly enforced by sandbox\n```\n\n### Impact\nThis is a **sandbox escape** vulnerability. An attacker who can influence an agent\u0027s tool calls (via prompt injection, multi-agent interaction, or malicious plugin instruction) can read arbitrary files from other agents\u0027 workspaces. This includes:\n- API keys and secrets stored in other agents\u0027 sandboxes\n- Session data and conversation logs\n- Configuration files with sensitive credentials\n- Any file within the `~/.openclaw/` directory tree\n\nThis completely defeats the purpose of the multi-agent sandbox isolation feature, which is documented as a security boundary in the project\u0027s Docker and sandboxing documentation.\n\n### Affected products\n- **Ecosystem**: npm\n- **Package name**: openclaw\n- **Affected versions**: \u003c= 2026.3.14 (current latest)\n- **Patched versions**: \u003cNone\u003e\n\n### Severity\n- **Severity**: High\n- **Vector string**: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N\n\n### Weaknesses\n- **CWE**: CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\n\n### Occurrences\n\n| Permalink | Description |\n| :--- | :--- |\n| [https://github.com/moltbot/moltbot/blob/main/src/infra/outbound/message-action-params.ts#L206-L227](https://github.com/moltbot/moltbot/blob/main/src/infra/outbound/message-action-params.ts#L206-L227) | The `normalizeSandboxMediaParams` function with incomplete `mediaKeys` allowlist \u2014 `mediaUrl` and `fileUrl` are not checked. |\n| [https://github.com/moltbot/moltbot/blob/main/src/infra/outbound/message-action-runner.ts#L684-L697](https://github.com/moltbot/moltbot/blob/main/src/infra/outbound/message-action-runner.ts#L684-L697) | The `handlePluginAction` dispatch call that omits `mediaLocalRoots` from the context passed to `dispatchChannelMessageAction`. |\n| [https://github.com/moltbot/moltbot/blob/main/src/channels/plugins/types.core.ts#L478](https://github.com/moltbot/moltbot/blob/main/src/channels/plugins/types.core.ts#L478) | The `ChannelMessageActionContext` type that defines `mediaLocalRoots` but never receives it from `handlePluginAction`. |",
  "id": "GHSA-hr5v-j9h9-xjhg",
  "modified": "2026-04-10T17:29:38Z",
  "published": "2026-03-30T18:31:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hr5v-j9h9-xjhg"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenClaw has Sandbox Media Root Bypass via Unnormalized `mediaUrl` / `fileUrl` Parameter Keys (CWE-22)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.