CVE-2026-33581

OpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in the message tool that allows attackers to read arbitrary local files by using mediaUrl and fileUrl alias parameters that bypass localRoots validation. Remote attackers can exploit this by routing file requests through unvalidate...

GHSA-V8WV-JG3Q-QWPQ OpenClaw's message tool media parameter bypasses tool policy filesystem isolation

Summary The message tool accepted mediaUrl and fileUrl aliases without applying the same sandbox localRoots validation as the canonical media path handling. Impact A caller constrained to sandbox media roots could read arbitrary local files by routing them through the alias parameters. Affected...

CVE-2026-33581

OpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in the message tool that allows attackers to read arbitrary local files by using mediaUrl and fileUrl alias parameters that bypass localRoots validation. Remote attackers can exploit this by routing file requests through unvalidate...

OpenClaw 安全漏洞

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a sandbox bypass vulnerability that can be exploited by an attacker to read arbitrary local files using mediaUrl and fileUrl alias parameters that bypass localRoots validation...