Lucene search
K

7 matches found

OSV
OSV
added 2026/03/19 10:6 p.m.6 views

CVE-2026-32002 OpenClaw < 2026.2.23 - Sandbox Boundary Bypass via Image Tool workspaceOnly Bypass

OpenClaw versions prior to 2026.2.23 contain a sandbox bypass vulnerability in the sandboxed image tool that fails to enforce tools.fs.workspaceOnly restrictions on mounted sandbox paths, allowing attackers to read out-of-workspace files. Attackers can load restricted mounted images and exfiltrat...

6CVSS6AI score0.00315EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/03/19 10:6 p.m.2 views

CVE-2026-32002 OpenClaw < 2026.2.23 - Sandbox Boundary Bypass via Image Tool workspaceOnly Bypass

OpenClaw versions prior to 2026.2.23 contain a sandbox bypass vulnerability in the sandboxed image tool that fails to enforce tools.fs.workspaceOnly restrictions on mounted sandbox paths, allowing attackers to read out-of-workspace files. Attackers can load restricted mounted images and exfiltrat...

6CVSS5.8AI score0.00315EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/03/19 10:6 p.m.11 views

CVE-2026-32002

OpenClaw versions prior to 2026.2.23 contain a sandbox bypass vulnerability in the sandboxed image tool that fails to enforce tools.fs.workspaceOnly restrictions on mounted sandbox paths, allowing attackers to read out-of-workspace files. Attackers can load restricted mounted images and exfiltrat...

6CVSS5.8AI score0.00315EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/03/04 7:13 p.m.14 views

OpenClaw's image tool bypasses tools.fs.workspaceOnly on sandbox mount paths and exfiltrates out-of-workspace images

Summary In OpenClaw, the sandboxed image tool did not honor tools.fs.workspaceOnly=true for mounted paths resolved by the sandbox FS bridge. This allowed reading out-of-workspace mounted images for example /agent/ and forwarding those bytes to vision model providers. Impact Sandbox boundary bypas...

6.5CVSS5.9AI score0.00315EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/03/03 7:8 p.m.3 views

GHSA-9F72-QCPW-2HXC OpenClaw: Native prompt image auto-load did not honor tools.fs.workspaceOnly in sandboxed runs

Summary In sandboxed runs, native prompt image auto-load did not honor tools.fs.workspaceOnly=true. This optional hardening setting is not enabled by default. When operators enabled it, prompt text could still reference mounted out-of-workspace image paths for example /agent/secret.png and load...

8.9CVSS5.9AI score
Exploits0References3
Snyk
Snyk
added 2026/03/03 7:8 p.m.3 views

Directory Traversal

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Directory Traversal in detectAndLoadPromptImages or loadImageFromRef. An attacker can access and load image data from out-of-workspace paths by referencing mounted paths in prompt text...

8.9CVSS6.2AI score
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/03/02 12:0 a.m.6 views

PT-2026-26394

Impact The gateway agents.files.get and agents.files.set methods allowed symlink traversal for allowlisted workspace files. A symlinked allowlisted file for example AGENTS.md could resolve outside the agent workspace and be read/written by the gateway process. This could enable arbitrary host fil...

8.8CVSS6.4AI score0.00639EPSS
Exploits0References11
Rows per page
Query Builder