Openclaw
CVE-2026-32030
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the stageSandboxMedia function that accepts arbitrary absolute paths when iMessage remote attachment fetching is enabled. An attacker who can tamper with attachment path metadata can disclose files readable by the OpenClaw process on the configured remote host via SCP.
AnalysisAI
OpenClaw versions before 2026.2.19 allow remote file disclosure when iMessage remote attachment fetching is enabled, as the stageSandboxMedia function fails to properly validate attachment paths and accepts arbitrary absolute paths. An attacker with the ability to manipulate attachment metadata can read files accessible to the OpenClaw process on the configured remote host via SCP. No patch is currently available for this vulnerability.
Technical ContextAI
The vulnerability exists in OpenClaw's stageSandboxMedia function, which is responsible for handling iMessage remote attachments fetched via SCP protocol. The root cause is a classic path traversal flaw classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), where the function fails to properly validate and sanitize file paths before passing them to the SCP client. When iMessage remote attachment fetching is enabled, the application accepts attachment path metadata from untrusted sources without enforcing that paths remain within a designated sandbox directory. An attacker who can intercept or manipulate attachment metadata can inject absolute paths (e.g., /etc/passwd, /root/.ssh/id_rsa) that the SCP client will then attempt to retrieve from the remote host, bypassing the intended sandbox restriction.
RemediationAI
Immediately upgrade OpenClaw to version 2026.2.19 or later to apply the patch that properly validates and restricts attachment paths to the intended sandbox directory. This update is available from the OpenClaw project repository as referenced in the security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-x9cf-3w63-rpq9. If immediate patching is not possible, disable iMessage remote attachment fetching functionality in the OpenClaw configuration until the upgrade can be completed, or restrict network access to the OpenClaw process and remote attachment hosts using firewall rules to limit potential attack surface. Additionally, audit logs for any suspicious SCP requests to non-standard system paths (e.g., /etc, /root, /var) that may indicate exploitation attempts.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-x9cf-3w63-rpq9