Description
OpenClaw versions prior to 2026.2.23 contain a sandbox bypass vulnerability in the sandboxed image tool that fails to enforce tools.fs.workspaceOnly restrictions on mounted sandbox paths, allowing attackers to read out-of-workspace files. Attackers can load restricted mounted images and exfiltrate them through vision model provider requests to bypass sandbox confidentiality controls.
Published: 2026-03-19
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

OpenClaw versions earlier than 2026.2.23 are vulnerable to a sandbox boundary bypass in the image tool because the tools.fs.workspaceOnly restriction is not enforced on mounted sandbox paths. This flaw allows an attacker to read files outside the intended workspace and exfiltrate them through vision model provider requests, thereby exposing confidential data. The vulnerability is classified as CWE-200, indicating an information exposure weakness.

Affected Systems

Affected products are OpenClaw:OpenClaw running on Node.js environments, with all releases prior to 2026.2.23 impacted. No more specific version details are provided beyond the version upper bound.

Risk and Exploitability

The CVSS score of 6 indicates medium severity. EPSS data is not available and the vulnerability is not listed in CISA’s KEV catalog. The most likely attack vector is remote, using the image tool API to load restricted images and trigger external vision model requests that carry the exfiltrated data. Exploitation requires access to the OpenClaw application or its API endpoints, and succeeds because sandbox boundaries are not properly enforced.

Generated by OpenCVE AI on March 19, 2026 at 23:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.2.23 or later where the sandbox check is fixed.
  • If an upgrade cannot be performed immediately, limit use of the image tool or block external vision model provider requests that could carry exfiltrated content.

Generated by OpenCVE AI on March 19, 2026 at 23:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q6qf-4p5j-r25g OpenClaw's image tool bypasses tools.fs.workspaceOnly on sandbox mount paths and exfiltrates out-of-workspace images
History

Fri, 20 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.2.23 contain a sandbox bypass vulnerability in the sandboxed image tool that fails to enforce tools.fs.workspaceOnly restrictions on mounted sandbox paths, allowing attackers to read out-of-workspace files. Attackers can load restricted mounted images and exfiltrate them through vision model provider requests to bypass sandbox confidentiality controls.
Title OpenClaw < 2026.2.23 - Sandbox Boundary Bypass via Image Tool workspaceOnly Bypass
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-200
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-20T17:04:54.047Z

Reserved: 2026-03-10T19:48:13.664Z

Link: CVE-2026-32002

cve-icon Vulnrichment

Updated: 2026-03-20T17:04:49.418Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T22:16:32.327

Modified: 2026-03-23T18:53:37.637

Link: CVE-2026-32002

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T11:05:41Z

Weaknesses