Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Blast Radius
ecosystem impact- 4 npm packages depend on openclaw (4 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.3.2.
DescriptionCVE.org
OpenClaw before 2026.3.2 contains a filesystem boundary bypass vulnerability in the image tool that fails to honor tools.fs.workspaceOnly restrictions. Attackers can traverse sandbox bridge mounts outside the workspace to read files that other filesystem tools would reject.
AnalysisAI
Filesystem boundary bypass in OpenClaw before 2026.3.2 allows authenticated attackers to read arbitrary files by traversing sandbox bridge mounts outside the configured workspace, circumventing the tools.fs.workspaceOnly restriction. The vulnerability affects the image tool specifically and results in unauthorized information disclosure accessible via network with low complexity.
Technical ContextAI
OpenClaw's image tool implements a sandbox mechanism intended to restrict filesystem access to designated workspace boundaries via the tools.fs.workspaceOnly configuration. However, the tool fails to properly validate filesystem paths when traversing sandbox bridge mounts, allowing attackers to escape these restrictions. CWE-668 (Exposure of Resource to Wrong Sphere) indicates that protected filesystem resources are exposed outside their intended security boundary. The vulnerability leverages the interaction between the mount abstraction layer and path resolution logic, enabling an authenticated user to read files that other filesystem tools would properly reject based on workspace confinement rules.
RemediationAI
Upgrade OpenClaw to version 2026.3.2 or later, which incorporates fixes from commits ccfeecb6887cd97937e33a71877ad512741e82b2, 630f1479c44f78484dfa21bb407cbe6f171dac87, dd9d9c1c609dcb4579f9e57bd7b5c879d0146b53, and 14baadda2c456f3cf749f1f97e8678746a34a7f4. These commits address the filesystem boundary validation logic in the image tool. Until patching is possible, review and enforce the principle of least privilege for users with access to the image tool, and restrict network access to OpenClaw instances where feasible. For detailed remediation instructions, consult the vendor advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-cfp9-w5v9-3q4h and VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-filesystem-boundary-bypass-in-image-tool.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-668 – Exposure of Resource to Wrong Sphere
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21462