4 matches found
EUVD-2026-14585
OpenClaw before 2026.3.2 contains a symlink traversal vulnerability in stageSandboxMedia that allows attackers to overwrite files outside the sandbox workspace. Attackers can exploit unvalidated destination paths in media/inbound writes to follow symlinks and overwrite host files beyond intended...
CVE-2026-32903
Rejected reason: This CVE ID has been rejected...
PT-2026-27237
OpenClaw before 2026.3.2 contains a symlink traversal vulnerability in stageSandboxMedia that allows attackers to overwrite files outside the sandbox workspace. Attackers can exploit unvalidated destination paths in media/inbound writes to follow symlinks and overwrite host files beyond intended...
OpenClaw: stageSandboxMedia destination symlink traversal can overwrite files outside sandbox workspace
Summary stageSandboxMedia allowed destination symlink traversal during media staging, which could overwrite files outside the sandbox workspace root. Impact When sandbox media staging handled inbound files, destination writes under media/inbound were not destination-alias-safe. If a symlink exist...