CVE-2026-35658
MEDIUM
NVD
CVSS Score
6.5
Severity
MEDIUM
Published
Apr 10, 2026
Vendor
unknown
Description
OpenClaw before 2026.3.2 contains a filesystem boundary bypass vulnerability in the image tool that fails to honor tools.fs.workspaceOnly restrictions. Attackers can traverse sandbox bridge mounts outside the workspace to read files that other filesystem tools would reject.
References
- https://github.com/openclaw/openclaw/commit/14baadda2c456f3cf749f1f97e8678746a34a7f4
- https://github.com/openclaw/openclaw/commit/630f1479c44f78484dfa21bb407cbe6f171dac87
- https://github.com/openclaw/openclaw/commit/ccfeecb6887cd97937e33a71877ad512741e82b2
- https://github.com/openclaw/openclaw/commit/dd9d9c1c609dcb4579f9e57bd7b5c879d0146b53
- https://github.com/openclaw/openclaw/security/advisories/GHSA-cfp9-w5v9-3q4h