Openclaw
CVE-2026-32007
MEDIUM
Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
OpenClaw versions prior to 2026.2.23 contain a path traversal vulnerability in the experimental apply_patch tool that allows attackers with sandbox access to modify files outside the workspace directory by exploiting inconsistent enforcement of workspace-only checks on mounted paths. Attackers can use apply_patch operations on writable mounts outside the workspace root to access and modify arbitrary files on the system.
AnalysisAI
OpenClaw versions before 2026.2.23 allow authenticated users with sandbox access to bypass workspace restrictions through a path traversal flaw in the apply_patch tool, enabling arbitrary file modification on the system. The vulnerability stems from inconsistent validation of mounted paths outside the workspace directory, permitting attackers to write to writable mounts beyond the intended sandbox boundaries. No patch is currently available for this MEDIUM severity issue.
Technical ContextAI
The vulnerability resides in OpenClaw's apply_patch tool, a utility designed to apply file patches within a sandboxed environment. The root cause is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, also known as 'Path Traversal'). The issue stems from inconsistent enforcement of workspace-boundary checks when processing mounted paths—specifically, the tool fails to properly validate that patch operations remain confined to the designated workspace root directory when interacting with writable mounts. This allows an attacker to construct apply_patch operations that traverse directory boundaries and access mounted filesystems outside the workspace, effectively breaking the sandbox isolation model. The affected product is OpenClaw, a collaborative development and automation platform.
RemediationAI
Immediately upgrade OpenClaw to version 2026.2.23 or later to apply the vendor's patch. The fix addresses inconsistent workspace boundary checks by enforcing stricter validation on all mounted paths before apply_patch operations are permitted. Until patching is completed, restrict sandbox access to users requiring it for essential workflows, disable the apply_patch tool if not actively used, and monitor file access logs for suspicious patch operations targeting locations outside the workspace directory. Reference the official security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-h9xm-j4qg-fvpg for detailed upgrade instructions and verification steps.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-h9xm-j4qg-fvpg