Primary

Context

OpenClaw Sandbox Boundary Bypass Vulnerability in Temporary File Handling

Vulnerability

A sandbox boundary bypass vulnerability has been identified in OpenClaw versions prior to 2026.3.11. This vulnerability arises in the fs-bridge staged write process, where the creation and population of temporary files are not securely tied to a verified parent directory. Exploitation involves a race condition related to changes in parent-path aliases, allowing attackers to write controlled data outside the intended validated path before the final replacement step is executed.

Impact

Exploitation of this vulnerability could lead to unauthorized data being written outside of the intended directories, potentially disrupting the application's integrity and availability within the affected writable mount.

Remediation

Users are advised to upgrade to OpenClaw version 2026.3.11 or later.

Added: Mar 31, 2026, 12:23 PM

Updated: Mar 31, 2026, 12:23 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.3

exploitability

2.9

remediation

0.0

relevance

5.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.3

exploitability

2.9

remediation

0.0

relevance

5.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenClaw Sandbox Boundary Bypass Vulnerability in Temporary File Handling

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating