CVE-2026-32988

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.11

Description The software contains a sandbox boundary bypass issue in fs-bridge staged writes. Temporary file creation and population are not restricted to a verified parent directory, allowing attackers to exploit a race condition in parent-path alias changes. This enables writing attacker-controlled data outside the intended validated path before the final replacement step. The issue involves a bypass of the sandbox security measures.

Recommendations Update to version 2026.3.11 or later.