Description
OpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in the message tool that allows attackers to read arbitrary local files by using mediaUrl and fileUrl alias parameters that bypass localRoots validation. Remote attackers can exploit this by routing file requests through unvalidated alias parameters to access files outside the intended sandbox directory.
Published: 2026-03-31
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read
Action: Immediate Patch
AI Analysis

Impact

OpenClaw versions earlier than 2026.3.24 allow a remote attacker to read arbitrary local files by exploiting a sandbox bypass in the message tool. The vulnerability comes from mediaUrl and fileUrl alias parameters that bypass the localRoots validation, enabling the attacker to retrieve files outside the intended sandbox. This can lead to disclosure of sensitive data and compromise the underlying system.

Affected Systems

Affected deployments include any installation of OpenClaw prior to 2026.3.24. The product is OpenClaw, developed by the OpenClaw team, and runs on a node.js environment.

Risk and Exploitability

The CVSS score is 7.1, indicating a medium to high risk if exploited. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation is known at disclosure. The attack can be performed remotely by crafting requests that use the mediaUrl or fileUrl parameters, providing a clear path to information disclosure and potential privilege escalation depending on file permissions.

Generated by OpenCVE AI on March 31, 2026 at 15:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply OpenClaw patch to version 2026.3.24 or later.

Generated by OpenCVE AI on March 31, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v8wv-jg3q-qwpq OpenClaw's message tool media parameter bypasses tool policy filesystem isolation
History

Tue, 31 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Tue, 31 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in the message tool that allows attackers to read arbitrary local files by using mediaUrl and fileUrl alias parameters that bypass localRoots validation. Remote attackers can exploit this by routing file requests through unvalidated alias parameters to access files outside the intended sandbox directory.
Title OpenClaw < 2026.3.24 - Arbitrary File Read via mediaUrl and fileUrl Parameters
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-22
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-31T17:43:39.374Z

Reserved: 2026-03-23T11:00:48.409Z

Link: CVE-2026-33581

cve-icon Vulnrichment

Updated: 2026-03-31T14:29:22.756Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T15:16:15.373

Modified: 2026-04-01T19:01:07.490

Link: CVE-2026-33581

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:38:24Z

Weaknesses