Path traversal in OpenClaw - CVE-2026-32030
Published: May 4, 2026
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to path traversal in stageSandboxMedia when processing inbound attachment path metadata. A remote user can supply crafted path metadata to disclose sensitive information.
Exploitation requires iMessage attachment ingestion to be enabled and remote attachment fetching to be active.