Main Vulnerability Database Vulnerabilities #VU125163

#VU125163 Exposure of Resource to Wrong Sphere in OpenClaw - CVE-2026-33573

Published: April 8, 2026

Vulnerability identifier: #VU125163

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-33573

CWE-ID: CWE-668

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
OpenClaw

Software vendor:
OpenClaw

Description

The vulnerability allows a remote user to access files and execute tools outside the intended workspace boundary.

The vulnerability exists due to exposure of resource to the wrong sphere in the public gateway agent RPC when handling caller-supplied spawnedBy and workspaceDir values. A remote user can supply crafted spawnedBy and workspaceDir values to access files and execute tools outside the intended workspace boundary.

The issue affects authenticated operators with operator.write and allows a non-owner operator to re-root an agent run to an arbitrary process-accessible directory.

Remediation

Install security update from vendor's website.

External links

https://github.com/openclaw/openclaw/security/advisories/GHSA-2rqg-gjgv-84jm

#VU125163 Exposure of Resource to Wrong Sphere in OpenClaw - CVE-2026-33573

Description

Remediation

External links

Please verify you're human