Description
OpenClaw versions prior to 2026.2.24 contain a local media root bypass vulnerability in sendAttachment and setGroupIcon message actions when sandboxRoot is unset. Attackers can hydrate media from local absolute paths to read arbitrary host files accessible by the runtime user.
Published: 2026-03-18
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read
Action: Apply Patch
AI Analysis

Impact

OpenClaw versions prior to 2026.2.24 suffer a local media root bypass in the sendAttachment and setGroupIcon message actions when the sandboxRoot is unset. The flaw allows an attacker to hydrate media from local absolute paths, enabling an arbitrary host file read of any file accessible to the runtime user. This vulnerability is a CWE‑22 (Absolute Path Traversal) and results in a confidentiality breach, as unauthorized data could be disclosed from the host file system.

Affected Systems

The affected system is the OpenClaw messaging application distributed under the OpenClaw:OpenClaw product line. All releases before 2026.2.24 are impacted. The Common Platform Enumeration for the affected product is cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate to high severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. Because the flaw arises only when sandboxRoot is unset, the likely attack vector is local; an attacker with access to the running application can perform a file read of any system file within the runtime user's permissions. In environments where the application runs with elevated privileges, the risk of broader compromise increases. The absence of a publicly known workaround underscores the importance of applying the patch promptly.

Generated by OpenCVE AI on March 18, 2026 at 03:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenClaw to version 2026.2.24 or later.
  • Configure the sandboxRoot setting to a fixed directory to prevent media root bypass.
  • Limit the privileges of the OpenClaw runtime user to reduce the impact of potential file reads.
  • Disable or restrict sendAttachment and setGroupIcon message actions if they are not required.
  • Monitor the OpenClaw security advisory page for further updates.

Generated by OpenCVE AI on March 18, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fqcm-97m6-w7rm OpenClaw: Message action attachment hydration bypasses local media root checks when sandboxRoot is unset
History

Wed, 18 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.2.24 contain a local media root bypass vulnerability in sendAttachment and setGroupIcon message actions when sandboxRoot is unset. Attackers can hydrate media from local absolute paths to read arbitrary host files accessible by the runtime user.
Title OpenClaw < 2026.2.24 - Arbitrary File Read via sendAttachment and setGroupIcon Message Actions
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-22
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-18T16:00:17.502Z

Reserved: 2026-02-19T21:44:45.173Z

Link: CVE-2026-27522

cve-icon Vulnrichment

Updated: 2026-03-18T16:00:14.293Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T02:16:23.220

Modified: 2026-03-18T20:05:50.113

Link: CVE-2026-27522

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:53:36Z

Weaknesses