Listen to this Post
The public gateway agent RPC in OpenClaw versions prior to 2026.3.11 allowed an authenticated user with the `operator.write` role to supply attacker-controlled `spawnedBy` and `workspaceDir` values . This flaw occurred because the gateway did not validate or sanitize these caller-supplied overrides against the agent’s configured workspace boundary. An attacker could leverage this by crafting an RPC call that includes path traversal sequences (like ../) or absolute paths in the `workspaceDir` parameter. When the gateway processed this request, it would re-root the agent’s execution environment to the attacker-specified directory, effectively escaping the intended filesystem sandbox and gaining access to arbitrary process-accessible directories on the host system .
Platform: OpenClaw
Version: <= 2026.3.8
Vulnerability : Path Traversal
Severity: HIGH (8.8 CVSS)
Date: 2026-03-11
Prediction: Patched 2026.3.11
What Undercode Say:
Analytics
The vulnerability is a classic path traversal (CWE-22) where insufficient validation of input paths allows an attacker to break out of the designated workspace directory . The core issue is that the RPC endpoint trusted the `spawnedBy` and `workspaceDir` inputs from an authenticated (but not necessarily owner-level) user. This allowed for a sandbox escape, granting access to read, write, or execute files in any directory the OpenClaw process had permissions for . The fix in version 2026.3.11 enforces the configured workspace boundary, ignoring any malicious overrides provided in the RPC call .
Bash Commands & Code
To check your current OpenClaw version:
openclaw --version
To update to the patched version (2026.3.11 or later):
openclaw update --channel stable
To run an in-depth security audit to check for workspace misconfigurations:
openclaw security audit --deep
To verify file permissions on the workspace directory, ensuring it’s not world-writable:
ls -la ~/.openclaw/workspace/ Expected output: drwx (700) for the directory
To create a dedicated, least-privilege user for running OpenClaw on Linux:
sudo useradd -r -s /bin/false openclaw-user sudo chown -R openclaw-user:openclaw-user /opt/openclaw sudo -u openclaw-user openclaw gateway start
Exploit
An authenticated attacker with `operator.write` privileges could exploit this by sending a crafted RPC request to the gateway agent. The request would include a malicious `workspaceDir` value, such as `../../../../etc/` or /, to redirect the agent’s root. Once the agent is re-rooted outside its sandbox, the attacker could then use standard agent tools (like read, write, or bash) to interact with sensitive system files, install backdoors, or move laterally within the host system .
Protection from this CVE
- Immediate Upgrade: Update OpenClaw to version 2026.3.11 or later, which contains the fix that enforces workspace boundaries .
- Principle of Least Privilege: Run the OpenClaw process with a dedicated, non-root user account with restricted permissions to its workspace directory (
chmod 700 ~/.openclaw/workspace/) . - Network Hardening: Bind the gateway to the local loopback interface (
"gateway": { "bind": "loopback" }) to prevent remote exploitation attempts and use a firewall to block unauthorized access . - Enable Authentication: Set `auth.mode` to `”password”` or `”token”` in the gateway configuration to add a layer of access control, even for local connections .
Impact
Successful exploitation allows a non-owner operator with write access to completely escape the filesystem sandbox. The attacker can then read, modify, or delete any file accessible to the OpenClaw process, and execute arbitrary system commands. This can lead to full host compromise, data exfiltration, credential theft, and use of the compromised system as a pivot point for further network attacks .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
