Listen to this Post
How the CVE Works
The vulnerability stems from an incomplete allowlist in the `normalizeSandboxMediaParams` function, located in src/infra/outbound/message-action-params.ts. This function validates media parameters against a hardcoded array: ["media", "path", "filePath"]. However, the parameter keys `mediaUrl` and fileUrl, which are used by multiple channel extensions for handling attachments, are omitted from this check. Consequently, any call using `mediaUrl` or `fileUrl` bypasses the path validation normally enforced by resolveSandboxedMediaSource. Simultaneously, in src/infra/outbound/message-action-runner.ts, the `handlePluginAction` function dispatches actions to channel plugins but fails to pass the `mediaLocalRoots` context variable. Even though `ChannelMessageActionContext` defines this variable, plugins receive `undefined` and default to getDefaultMediaLocalRoots(), which permits access to the entire `~/.openclaw/` directory tree. An attacker, acting through a sandboxed agent (Agent-A), can craft a message tool call with { mediaUrl: "~/.openclaw/workspace/agent-b/secret.txt" }. The parameter bypasses validation, and due to the missing context, the plugin loads the file, effectively escaping the sandbox and reading data from another agent’s workspace (Agent-B).
dailycve form:
Platform: OpenClaw Gateway
Version: <= 2026.3.14
Vulnerability: Sandbox Path Traversal
Severity: High
date: 2026-03-31
Prediction: 2026-03-24
What Undercode Say:
Identify vulnerable parameter usage in message tool calls grep -r "mediaUrl|fileUrl" src/channels/plugins/ Check for missing mediaLocalRoots in dispatch context grep -A 10 "handlePluginAction" src/infra/outbound/message-action-runner.ts | grep "dispatchChannelMessageAction"
Exploit:
// PoC exploit script simulating sandboxed agent call
const maliciousCall = {
tool: "message",
params: {
mediaUrl: "~/.openclaw/workspace/agent-b/secret_key.txt"
}
};
// The call bypasses normalization and reads target file.
Protection from this CVE
Update to OpenClaw version 2026.3.24 or later. As a temporary mitigation, administrators can manually patch the `message-action-params.ts` file to add `”mediaUrl”` and `”fileUrl”` to the `mediaKeys` allowlist. Additionally, review the `handlePluginAction` dispatch in `message-action-runner.ts` to ensure `mediaLocalRoots` is explicitly passed to dispatchChannelMessageAction.
Impact
Successful exploitation allows a sandboxed agent to read arbitrary files from other agents’ workspaces, including API keys, session logs, and configuration files, fully compromising the multi-agent sandbox isolation intended to secure the environment.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

