Path traversal in OpenClaw - CVE-2026-35668
Published: May 1, 2026
Vulnerability identifier: #VU128734
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-35668
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to path traversal in normalizeSandboxMediaParams and handlePluginAction when processing message tool calls with mediaUrl or fileUrl parameter keys. A remote user can supply a crafted mediaUrl or fileUrl value to disclose sensitive information.
The issue can break sandbox isolation and expose files from other agents' workspaces because unchecked parameter keys bypass sandbox path validation and plugins fall back to default media roots.
How to mitigate CVE-2026-35668
Install security update from vendor's website.