OpenClaw Improper Path Validation Vulnerability in Sandbox Media Handling Allowing Arbitrary File Read

A vulnerability exists in OpenClaw versions prior to 2026.2.24, where the application improperly validates paths in sandbox media handling. This flaw allows absolute paths under the host's temporary directory to bypass the active sandbox root. Attackers can exploit this vulnerability by sending malicious media references that are used to read and exfiltrate arbitrary files from the host temporary directory, using attachment delivery mechanisms.

Impact

Exploitation of this vulnerability could lead to unauthorized reading and exfiltration of files from the host's temporary directory, bypassing the sandbox's intended file access restrictions.

Reproduction

The vulnerability can be reproduced by sending media references that include absolute paths under the host's temporary directory, outside the active sandbox root. This can be done by importing 'os' from 'node:os' and using 'os.tmpdir()' to access the temporary directory. After the media reference is sent, the targeted file can be read and exfiltrated through the application's attachment delivery system.

Remediation

Users are advised to update OpenClaw to version 2026.2.24 or later, and to use OpenClaw's temp management helpers to avoid broad tmp-root regressions in messaging or channel code paths.