CVE-2026-31990

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.2

Description The stageSandboxMedia function does not properly validate destination symlinks during media staging, potentially allowing writes to follow symlinks outside the sandbox workspace. This could allow attackers to overwrite arbitrary files on the host system outside of the sandbox boundaries by placing symlinks in the media/inbound directory. The issue occurs because the function validates source paths but uses a direct copy path for destination files, lacking destination boundary checks.

Recommendations Versions prior to 2026.3.2 should be updated to version 2026.3.2 or later.