PT-2026-29261 · Openclaw · Openclaw
Antaisecuritylab
·
Published
2026-03-31
·
Updated
2026-03-31
·
CVE-2026-33581
CVSS v3.1
8.6
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
OpenClaw versions prior to 2026.3.24
Description
The software contains a sandbox bypass issue in the message tool. This allows attackers to read arbitrary local files by exploiting the
mediaUrl and fileUrl alias parameters, which bypass localRoots validation. Attackers can route file requests through these unvalidated parameters to access files outside the intended sandbox directory.Recommendations
Update to version 2026.3.24 or later.
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw