OpenClaw: Image Tool `tools.fs.workspaceOnly` Bypass via Sandbox Bridge Mounts

Summary The image tool did not fully honor the tools.fs.workspaceOnly filesystem boundary. In affected releases, image-path resolution could still traverse sandbox bridge mounts outside the workspace and read files from mounted directories that the other file tools would reject. Affected Packages...

PT-2026-27237

OpenClaw before 2026.3.2 contains a symlink traversal vulnerability in stageSandboxMedia that allows attackers to overwrite files outside the sandbox workspace. Attackers can exploit unvalidated destination paths in media/inbound writes to follow symlinks and overwrite host files beyond intended...

CVE-2026-31990

OpenClaw (

CVE-2026-22180

OpenClaw is affected in versions prior to 2026.3.2 by a path-confinement bypass in browser output handling that allows writing outside intended root directories. The issue arises from insufficient canonical path-boundary validation in file write operations, enabling writes to arbitrary locations ...

OpenClaw has encoded-path auth bypass in plugin `/api/channels` route classification

Summary Updated March 2, 2026 Encoded alternate-path requests could bypass plugin route auth checks for /api/channels/ due to canonicalization depth mismatch in vulnerable builds. Affected Packages / Versions - Package: openclaw npm - Latest published vulnerable version: 2026.3.1 - Affected range...

GHSA-R54R-WMMQ-MH84 OpenClaw: ZIP extraction race could write outside destination via parent symlink rebind

Summary ZIP extraction in OpenClaw could be raced into writing outside the intended destination directory via parent-directory symlink rebind between validation and write. Affected Packages / Versions - Package: openclaw npm - Vulnerable versions: = 2026.3.1 - Latest published vulnerable version...

GHSA-H3RM-6X7G-882F OpenClaw's Node system.run approval hardening wrapper semantic drift can execute unintended local scripts

Summary In [email protected], node system.run approval-path hardening rewrote wrapper command argv in a way that changed execution semantics. A command shown/approved as a shell payload for example echo SAFE could execute a different local script when wrapper argv were rewritten. Affected Package...

Server-side Request Forgery (SSRF)

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the writeUrlToFile function. An attacker can access internal network resources or perform unauthorized network requests by supplying crafted URLs in t...

Allocation of Resources Without Limits or Throttling

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the webhook request body parsing. An attacker can degrade service availability by sending slow or oversized unauthenticated reques...

PT-2026-26228

Summary In [email protected], node system.run approval-path hardening rewrote wrapper command argv in a way that changed execution semantics. A command shown/approved as a shell payload for example echo SAFE could execute a different local script when wrapper argv were rewritten. Affected Package...