Rosayxy

**Name of the Vulnerable Software and Affected Versions** openclaude versions prior to 0.5.1 **Description** A security issue exists where the `dangerouslyDisableSandbox` parameter is exposed within the BashTool input schema. This allows a Large Language Model (LLM), which is considered an untrusted principal, to set this parameter to `true` in a `tool use` response. When combined with the default setting `allowUnsandboxedCommands: true`, a model subject to prompt injection can bypass the sandbox boundary. This enables the execution of arbitrary commands directly on the host system, leading to full host-level code execution. The issue is rooted in the `shouldUseSandbox()` function, which fails to properly restrict this security-critical flag from model control. **Recommendations** Update to version 0.5.1 or later. As a temporary mitigation, set the `allowUnsandboxedCommands` configuration setting to `false` to ensure the sandbox remains active regardless of the model's input.

**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.4.8 **Description** A filesystem policy bypass exists in the processing of docx uploads, enabling local file reads outside of workspace boundaries. This allows attackers to access files beyond the intended workspace-only filesystem policy via the 'upload file' and 'upload image' endpoints. **Recommendations** Update to version 2026.4.8 or later. Restrict access to the 'upload file' and 'upload image' endpoints to minimize the risk of exploitation.