CVE-2026-32030

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.19

Description OpenClaw versions prior to 2026.2.19 contain a path traversal issue in the stageSandboxMedia function. This occurs when iMessage remote attachment fetching is enabled and the function accepts arbitrary absolute paths. An attacker who can manipulate attachment path metadata may be able to disclose files readable by the OpenClaw process on the configured remote host via SCP. The issue is triggered when a non-attachment path reaches the function, potentially staging files outside expected iMessage attachment directories. The vulnerability requires iMessage attachments to be enabled, remote attachment mode to be active, and the ability to inject or tamper with attachment path metadata.

Recommendations Upgrade to a version of OpenClaw that includes remote attachment path validation. If remote attachments are not required, disable iMessage attachment ingestion. Run OpenClaw under least privilege on the remote host.