High severity7.7NVD Advisory· Published Apr 10, 2026· Updated Apr 13, 2026
CVE-2026-35668
CVE-2026-35668
Description
OpenClaw before 2026.3.24 contains a path traversal vulnerability in sandbox enforcement allowing sandboxed agents to read arbitrary files from other agents' workspaces via unnormalized mediaUrl or fileUrl parameter keys. Attackers can exploit incomplete parameter validation in normalizeSandboxMediaParams and missing mediaLocalRoots context to access sensitive files including API keys and configuration data outside designated sandbox roots.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.3.24 | 2026.3.24 |
Affected products
2Patches
Vulnerability mechanics
References
3- github.com/openclaw/openclaw/security/advisories/GHSA-hr5v-j9h9-xjhgnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-hr5v-j9h9-xjhgghsaADVISORY
- www.vulncheck.com/advisories/openclaw-sandbox-media-root-bypass-via-unnormalized-mediaurl-and-fileurl-parametersnvdThird Party Advisory
News mentions
0No linked articles in our index yet.