OpenClaw Sandbox Bypass Vulnerability Allowing Arbitrary File Read

A sandbox bypass vulnerability has been identified in OpenClaw versions prior to 2026.3.24. This vulnerability exists in the message tool, where the mediaUrl and fileUrl alias parameters can be used to read arbitrary local files. The issue arises because these alias parameters bypass the localRoots validation, allowing remote attackers to access files outside the designated sandbox directory.

Impact

Exploitation of this vulnerability allows for arbitrary file read, with the potential to access sensitive information from the local file system.

Reproduction

The vulnerability can be reproduced by sending a message action that includes the mediaUrl or fileUrl parameters with unvalidated alias values. The message action should be dispatched through a channel that supports these parameters, such as Slack or Feishu. The alias values can be crafted to reference files outside the intended sandbox directory, bypassing the application's file access restrictions.

Remediation

Users can update to OpenClaw version 2026.3.24 or later, where this vulnerability has been patched.