PT-2026-25523 · Npm · Openclaw
Published
2026-03-04
·
Updated
2026-03-04
CVSS v4.0
6.0
Medium
| Vector | AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Summary
In OpenClaw, the sandboxed
image tool did not honor tools.fs.workspaceOnly=true for mounted paths resolved by the sandbox FS bridge. This allowed reading out-of-workspace mounted images (for example /agent/*) and forwarding those bytes to vision model providers.Impact
Sandbox boundary bypass with confidentiality impact. In affected versions,
read/write/edit respected workspace-only guardrails, but image could still load mounted out-of-workspace files and exfiltrate them via model requests.Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.2.22-2 - Patched versions:
>= 2026.2.23(released) - Latest published npm at triage time:
2026.2.22-2
Technical Details
workspaceOnly was enforced in sandbox file tools and apply patch, but not propagated/enforced for image sandbox path resolution. The fix threads workspaceOnly into image-tool construction and asserts sandbox-root containment before loading media bytes.Fix Commit(s)
dd9d9c1c609dcb4579f9e57bd7b5c879d0146b53
OpenClaw thanks @tdjackey for reporting.
Fix
Information Disclosure
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Openclaw