OpenClaw Sandbox Bypass Vulnerability in Image Tool
Vulnerability
A sandbox bypass vulnerability has been identified in OpenClaw versions prior to 2026.2.23. The issue arises in the sandboxed image tool, which fails to properly enforce 'tools.fs.workspaceOnly' restrictions on mounted sandbox paths. This oversight allows attackers to access out-of-workspace files, such as those in the '/agent/' directory. Exploitation involves loading these restricted images and exfiltrating them through requests to vision model providers, thereby circumventing sandbox confidentiality controls.
Impact
Exploitation of this vulnerability bypasses sandbox boundaries, allowing for unauthorized access to sensitive information stored in out-of-workspace files. In the affected versions, while other tools respected workspace-only restrictions, the image tool could still access and exfiltrate out-of-workspace files via model requests.
Reproduction
To reproduce this vulnerability, create a sandbox environment with the image tool. Mount a file from the '/agent/' directory, which is outside the designated workspace. Then, use the image tool to load the mounted file and send it to a vision model provider. The request will succeed, demonstrating the bypass of the workspace-only restriction.
Remediation
Users can update to OpenClaw version 2026.2.23 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.