OpenClaw, Sandbox Escape via Path Traversal, CVE-2026-27522 (High)

Listen to this Post

How the CVE Works

The vulnerability stems from an incomplete allowlist in the `normalizeSandboxMediaParams` function, located in src/infra/outbound/message-action-params.ts. This function validates media parameters against a hardcoded array: ["media", "path", "filePath"]. However, the parameter keys `mediaUrl` and fileUrl, which are used by multiple channel extensions for handling attachments, are omitted from this check. Consequently, any call using `mediaUrl` or `fileUrl` bypasses the path validation normally enforced by resolveSandboxedMediaSource. Simultaneously, in src/infra/outbound/message-action-runner.ts, the `handlePluginAction` function dispatches actions to channel plugins but fails to pass the `mediaLocalRoots` context variable. Even though `ChannelMessageActionContext` defines this variable, plugins receive `undefined` and default to getDefaultMediaLocalRoots(), which permits access to the entire `~/.openclaw/` directory tree. An attacker, acting through a sandboxed agent (Agent-A), can craft a message tool call with { mediaUrl: "~/.openclaw/workspace/agent-b/secret.txt" }. The parameter bypasses validation, and due to the missing context, the plugin loads the file, effectively escaping the sandbox and reading data from another agent’s workspace (Agent-B).

dailycve form:

Platform: OpenClaw Gateway
Version: <= 2026.3.14
Vulnerability: Sandbox Path Traversal
Severity: High
date: 2026-03-31

Prediction: 2026-03-24

What Undercode Say:

Identify vulnerable parameter usage in message tool calls
grep -r "mediaUrl|fileUrl" src/channels/plugins/
Check for missing mediaLocalRoots in dispatch context
grep -A 10 "handlePluginAction" src/infra/outbound/message-action-runner.ts | grep "dispatchChannelMessageAction"

Exploit:

// PoC exploit script simulating sandboxed agent call
const maliciousCall = {
tool: "message",
params: {
mediaUrl: "~/.openclaw/workspace/agent-b/secret_key.txt"
}
};
// The call bypasses normalization and reads target file.

Protection from this CVE

Update to OpenClaw version 2026.3.24 or later. As a temporary mitigation, administrators can manually patch the `message-action-params.ts` file to add `”mediaUrl”` and `”fileUrl”` to the `mediaKeys` allowlist. Additionally, review the `handlePluginAction` dispatch in `message-action-runner.ts` to ensure `mediaLocalRoots` is explicitly passed to dispatchChannelMessageAction.

Impact

Successful exploitation allows a sandboxed agent to read arbitrary files from other agents’ workspaces, including API keys, session logs, and configuration files, fully compromising the multi-agent sandbox isolation intended to secure the environment.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top