Description
OpenClaw before 2026.3.2 contains a filesystem boundary bypass vulnerability in the image tool that fails to honor tools.fs.workspaceOnly restrictions. Attackers can traverse sandbox bridge mounts outside the workspace to read files that other filesystem tools would reject.
Published: 2026-04-10
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: File Read via Boundary Bypass
Action: Patch
AI Analysis

Impact

OpenClaw before 2026.3.2 contains a filesystem boundary bypass in the image tool that fails to honor tools.fs.workspaceOnly restrictions. Attackers can traverse sandbox bridge mounts outside the workspace to read files that other filesystem tools would reject. The vulnerability enables reading of sensitive files beyond the intended workspace area, potentially exposing configuration details, secrets, or other confidential data. The flaw is classified as CWE-668, reflecting an improper restriction or validation of user-supplied data.

Affected Systems

The affected product is OpenClaw. All installations running OpenClaw earlier than 2026.3.2 are vulnerable. The software is a Node.js based tool, and the repository commits confirm the issue. No additional vendor variants are listed.

Risk and Exploitability

The CVSS score is 6.0, indicating medium severity. EPSS information is not available, so we cannot quantify exploitation likelihood from the available data. The vulnerability is not listed in CISA’s KEV catalog, implying no known exploits. Attackers would need to trigger the image tool with a crafted request that traverses the sandbox boundary, which likely requires either local access or a user-controlled image upload. The impact is limited to file read; there is no known code execution path, but unauthorized access could aid a broader compromise.

Generated by OpenCVE AI on April 10, 2026 at 18:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the OpenClaw version currently deployed.
  • Upgrade OpenClaw to version 2026.3.2 or later to eliminate the vulnerability.
  • If an upgrade cannot be performed immediately, restrict the image tool’s access to prevent traversal of sandbox bridge mounts.
  • Monitor OpenClaw logs for attempts to access files outside the workspace.

Generated by OpenCVE AI on April 10, 2026 at 18:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cfp9-w5v9-3q4h OpenClaw: Image Tool `tools.fs.workspaceOnly` Bypass via Sandbox Bridge Mounts
History

Tue, 14 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.3.2 contains a filesystem boundary bypass vulnerability in the image tool that fails to honor tools.fs.workspaceOnly restrictions. Attackers can traverse sandbox bridge mounts outside the workspace to read files that other filesystem tools would reject.
Title OpenClaw < 2026.3.2 - Filesystem Boundary Bypass in Image Tool
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-668
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-14T14:56:40.942Z

Reserved: 2026-04-04T12:31:57.498Z

Link: CVE-2026-35658

cve-icon Vulnrichment

Updated: 2026-04-14T14:56:33.633Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T17:17:07.090

Modified: 2026-04-13T20:31:46.713

Link: CVE-2026-35658

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T13:00:45Z

Weaknesses