Incorrect authorization in OpenClaw - #VU125171

 

Incorrect authorization in OpenClaw - #VU125171

Published: April 8, 2026


Vulnerability identifier: #VU125171
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-863
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to incorrect authorization in the image tool path resolution when processing image paths with tools.fs.workspaceOnly enabled. A remote attacker can supply a crafted image path to disclose sensitive information.

The issue affects access to sandbox bridge mounts outside the workspace that other file tools would reject.


Remediation

Install security update from vendor's website.

Sources