CVE-2026-35658 OpenClaw < 2026.3.2 - Filesystem Boundary Bypass in Image Tool

OpenClaw before 2026.3.2 contains a filesystem boundary bypass vulnerability in the image tool that fails to honor tools.fs.workspaceOnly restrictions. Attackers can traverse sandbox bridge mounts outside the workspace to read files that other filesystem tools would reject...

GHSA-5FC7-F62M-8983 OpenClaw: Feishu docx upload_file/upload_image Bypasses Workspace-Only Filesystem Policy (GHSA-qf48-qfv4-jjm9 Incomplete Fix)

Impact Feishu docx uploadfile/uploadimage Bypasses Workspace-Only Filesystem Policy GHSA-qf48-qfv4-jjm9 Incomplete Fix. Feishu document uploads could read local files outside the workspace-only file policy when processing docx upload blocks. OpenClaw is a user-controlled local assistant. This...

OpenClaw: Image Tool `tools.fs.workspaceOnly` Bypass via Sandbox Bridge Mounts

Summary The image tool did not fully honor the tools.fs.workspaceOnly filesystem boundary. In affected releases, image-path resolution could still traverse sandbox bridge mounts outside the workspace and read files from mounted directories that the other file tools would reject. Affected Packages...

GHSA-CFP9-W5V9-3Q4H OpenClaw: Image Tool `tools.fs.workspaceOnly` Bypass via Sandbox Bridge Mounts

Summary The image tool did not fully honor the tools.fs.workspaceOnly filesystem boundary. In affected releases, image-path resolution could still traverse sandbox bridge mounts outside the workspace and read files from mounted directories that the other file tools would reject. Affected Packages...

CVE-2026-32033

OpenClaw versions prior to 2026.2.24 contain a path traversal vulnerability where @-prefixed absolute paths bypass workspace-only file-system boundary validation due to canonicalization mismatch. Attackers can exploit this by crafting @-prefixed paths like @/etc/passwd to read files outside the...

CVE-2026-32033

OpenClaw versions prior to 2026.2.24 contain a path traversal vulnerability where @-prefixed absolute paths bypass workspace-only file-system boundary validation due to canonicalization mismatch. Attackers can exploit this by crafting @-prefixed paths like @/etc/passwd to read files outside the...

CVE-2026-32033

OpenClaw versions prior to 2026.2.24 contain a path traversal vulnerability where @-prefixed absolute paths bypass workspace-only file-system boundary validation due to canonicalization mismatch. Attackers can exploit this by crafting @-prefixed paths like @/etc/passwd to read files outside the...

CVE-2026-32033

OpenClaw all versions prior to 2026.2.24 contain a path traversal vulnerability. The root cause is a canonicalization mismatch that allows @-prefixed absolute paths to bypass workspace-only file-system boundary validation. An attacker can exploit this by crafting @/… paths (e.g., @/etc/passwd) to...

GHSA-3JX4-Q2M7-R496 OpenClaw: Hardlink alias checks could bypass workspace-only file boundaries in specific configurations

Summary In certain workspace-restricted configurations, OpenClaw could follow hardlink aliases inside the workspace that reference files outside the workspace boundary. By default, tools.fs.workspaceOnly is off. This primarily affects deployments that intentionally enable workspace-only filesyste...

Symlink Attack

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Symlink Attack in the tools.fs.workspaceOnly process when hardlink aliases inside the workspace reference files outside the workspace boundary. An attacker can access or modify files...

GHSA-Q6QF-4P5J-R25G OpenClaw's image tool bypasses tools.fs.workspaceOnly on sandbox mount paths and exfiltrates out-of-workspace images

Summary In OpenClaw, the sandboxed image tool did not honor tools.fs.workspaceOnly=true for mounted paths resolved by the sandbox FS bridge. This allowed reading out-of-workspace mounted images for example /agent/ and forwarding those bytes to vision model providers. Impact Sandbox boundary bypas...

OpenClaw's image tool bypasses tools.fs.workspaceOnly on sandbox mount paths and exfiltrates out-of-workspace images

Summary In OpenClaw, the sandboxed image tool did not honor tools.fs.workspaceOnly=true for mounted paths resolved by the sandbox FS bridge. This allowed reading out-of-workspace mounted images for example /agent/ and forwarding those bytes to vision model providers. Impact Sandbox boundary bypas...

Files or Directories Accessible to External Parties

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Files or Directories Accessible to External Parties via the image tool when tools.fs.workspaceOnly is set to true but not enforced for mounted paths resolved by the sandbox file system...

PT-2026-26384

Summary In OpenClaw, the sandboxed image tool did not honor tools.fs.workspaceOnly=true for mounted paths resolved by the sandbox FS bridge. This allowed reading out-of-workspace mounted images for example /agent/ and forwarding those bytes to vision model providers. Impact Sandbox boundary bypas...

GHSA-H9XM-J4QG-FVPG OpenClaw: Experimental apply_patch may bypass workspace-only checks in opt-in sandbox mounts (off by default)

Summary In some opt-in sandbox configurations, the experimental applypatch tool did not consistently apply workspace-only checks to mounted paths for example /agent/.... Impact This does not affect default installs. Default posture: - agents.defaults.sandbox.mode=off sandbox disabled by default -...

GHSA-9F72-QCPW-2HXC OpenClaw: Native prompt image auto-load did not honor tools.fs.workspaceOnly in sandboxed runs

Summary In sandboxed runs, native prompt image auto-load did not honor tools.fs.workspaceOnly=true. This optional hardening setting is not enabled by default. When operators enabled it, prompt text could still reference mounted out-of-workspace image paths for example /agent/secret.png and load...

OpenClaw: Native prompt image auto-load did not honor tools.fs.workspaceOnly in sandboxed runs

Summary In sandboxed runs, native prompt image auto-load did not honor tools.fs.workspaceOnly=true. This optional hardening setting is not enabled by default. When operators enabled it, prompt text could still reference mounted out-of-workspace image paths for example /agent/secret.png and load...

PT-2026-26389

Summary In some opt-in sandbox configurations, the experimental apply patch tool did not consistently apply workspace-only checks to mounted paths for example /agent/.... Impact This does not affect default installs. Default posture: - agents.defaults.sandbox.mode=off sandbox disabled by default ...

Directory Traversal

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Directory Traversal via the applypatch tool when non-sandboxed path resolution fails to enforce workspace containment. An attacker can write or delete files outside the intended workspace...