PT-2026-25112 · Npm · Openclaw
Published
2026-03-02
·
Updated
2026-03-02
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Summary
Sandbox media handling had a time-of-check/time-of-use gap: media paths could be validated first and read later through a separate path. A symlink retarget between those steps could cause reads outside
sandboxRoot.Impact
Affected versions could permit host file reads outside the intended sandbox root in media attachment/image flows.
Fix
Media reads now use consolidated root-scoped, boundary-safe read paths at use time, removing check/use drift across call sites.
Affected and Patched Versions
- Affected:
<= 2026.2.26 - Patched:
2026.3.1
Fix
Link Following
Time Of Check To Time Of Use
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Openclaw