GHSA-V8WV-JG3Q-QWPQ

Vulnerability from github – Published: 2026-03-31 23:54 – Updated: 2026-04-06 17:34
VLAI?
Summary
OpenClaw's message tool media parameter bypasses tool policy filesystem isolation
Details

Summary

The message tool accepted mediaUrl and fileUrl aliases without applying the same sandbox localRoots validation as the canonical media path handling.

Impact

A caller constrained to sandbox media roots could read arbitrary local files by routing them through the alias parameters.

Affected Component

src/infra/outbound/message-action-params.ts, src/infra/outbound/message-action-runner.ts

Fixed Versions

  • Affected: < 2026.3.24
  • Patched: >= 2026.3.24
  • Latest stable 2026.3.28 contains the fix.

Fix

Fixed by commit 1d7cb6fc03 (fix: close sandbox media root bypass for mediaUrl/fileUrl aliases).

OpenClaw thanks @AntAISecurityLab for reporting.

Severity ?
6.2 (Medium)
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.1 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.24"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33581"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-31T23:54:28Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe message tool accepted `mediaUrl` and `fileUrl` aliases without applying the same sandbox localRoots validation as the canonical media path handling.\n\n## Impact\n\nA caller constrained to sandbox media roots could read arbitrary local files by routing them through the alias parameters.\n\n## Affected Component\n\n`src/infra/outbound/message-action-params.ts, src/infra/outbound/message-action-runner.ts`\n\n## Fixed Versions\n\n- Affected: `\u003c 2026.3.24`\n- Patched: `\u003e= 2026.3.24`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `1d7cb6fc03` (`fix: close sandbox media root bypass for mediaUrl/fileUrl aliases`).\n\nOpenClaw thanks @AntAISecurityLab for reporting.",
  "id": "GHSA-v8wv-jg3q-qwpq",
  "modified": "2026-04-06T17:34:18Z",
  "published": "2026-03-31T23:54:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v8wv-jg3q-qwpq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33581"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/1d7cb6fc03552bbba00e7cffb3aa9741f5556416"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-mediaurl-and-fileurl-parameters"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw\u0027s message tool media parameter bypasses tool policy filesystem isolation"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.