GHSA-X9CF-3W63-RPQ9

Vulnerability from github – Published: 2026-03-03 19:58 – Updated: 2026-03-27 22:02
VLAI?
Summary
OpenClaw vulnerable to sensitive file disclosure via stageSandboxMedia
Details

Summary

When iMessage remote attachment fetching is enabled (channels.imessage.remoteHost), stageSandboxMedia accepted arbitrary absolute paths and used SCP to copy them into local staging.

If a non-attachment path reaches this flow, files outside expected iMessage attachment directories on the remote host can be staged.

Affected Packages / Versions

  • Package: openclaw
  • Affected: up to and including 2026.2.17 (latest npm version as of February 19, 2026)
  • Fixed: pending next release with remote attachment path validation

Impact

Confidentiality impact. An attacker who can influence inbound attachment path metadata may disclose files readable by the OpenClaw process on the configured remote host.

Attack Preconditions

  1. iMessage attachments enabled (channels.imessage.includeAttachments=true), and
  2. remote attachment mode active (channels.imessage.remoteHost configured or auto-detected), and
  3. attacker can inject/tamper with attachment path metadata.

Given these preconditions, this advisory is assessed as medium severity.

Fix Commit(s)

  • 1316e5740382926e45a42097b4bfe0aef7d63e8e

Release Process Note

patched_versions should be set to the next released npm version that includes remote attachment path validation, then the advisory can be published.

Mitigation

  • Upgrade to the first release that includes remote attachment path validation.
  • If remote attachments are not required, disable iMessage attachment ingestion.
  • Run OpenClaw under least privilege on the remote host.

OpenClaw thanks @zpbrent for reporting.

Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32030"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-03T19:58:32Z",
    "nvd_published_at": "2026-03-19T22:16:38Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nWhen iMessage remote attachment fetching is enabled (`channels.imessage.remoteHost`), `stageSandboxMedia` accepted arbitrary absolute paths and used SCP to copy them into local staging.\n\nIf a non-attachment path reaches this flow, files outside expected iMessage attachment directories on the remote host can be staged.\n\n### Affected Packages / Versions\n- Package: `openclaw`\n- Affected: up to and including `2026.2.17` (latest npm version as of February 19, 2026)\n- Fixed: pending next release with remote attachment path validation\n\n### Impact\nConfidentiality impact. An attacker who can influence inbound attachment path metadata may disclose files readable by the OpenClaw process on the configured remote host.\n\n### Attack Preconditions\n1. iMessage attachments enabled (`channels.imessage.includeAttachments=true`), and\n2. remote attachment mode active (`channels.imessage.remoteHost` configured or auto-detected), and\n3. attacker can inject/tamper with attachment path metadata.\n\nGiven these preconditions, this advisory is assessed as **medium** severity.\n\n\n## Fix Commit(s)\n- `1316e5740382926e45a42097b4bfe0aef7d63e8e`\n\n### Release Process Note\n`patched_versions` should be set to the next released npm version that includes remote attachment path validation, then the advisory can be published.\n\n### Mitigation\n- Upgrade to the first release that includes remote attachment path validation.\n- If remote attachments are not required, disable iMessage attachment ingestion.\n- Run OpenClaw under least privilege on the remote host.\n\nOpenClaw thanks @zpbrent for reporting.",
  "id": "GHSA-x9cf-3w63-rpq9",
  "modified": "2026-03-27T22:02:29Z",
  "published": "2026-03-03T19:58:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-x9cf-3w63-rpq9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32030"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/1316e5740382926e45a42097b4bfe0aef7d63e8e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-sensitive-file-disclosure-via-stagesandboxmedia-path-traversal"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw vulnerable to sensitive file disclosure via stageSandboxMedia"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.