CVE-2026-35658: OpenClaw sandbox bypass exposes

CISO Take

OpenClaw's image tool fails to enforce the workspaceOnly sandbox restriction, allowing any low-privilege session holder to traverse bridge mounts and read arbitrary host files outside the designated workspace. With network-accessible exploitation requiring no user interaction and only low privileges, the attack surface covers any deployment exposing OpenClaw agent sessions to untrusted or external users — credentials, API tokens, environment files, and secrets on the host are all in scope. EPSS data is unavailable and the vulnerability is not in CISA KEV, but the High confidentiality impact combined with a package carrying 395 historical CVEs signals an ecosystem with persistent security debt that warrants urgency. Upgrade to OpenClaw 2026.3.2 immediately; if patching is not yet possible, disable or policy-restrict the image tool in agent configurations and audit the OS-level permissions of the OpenClaw process to enforce least privilege on sensitive paths.

Sources: NVD GitHub Advisory ATLAS VulnCheck

What is the risk?

Medium severity by score but elevated concern in AI agent deployments. The CVSS vector (AV:N/AC:L/PR:L/UI:N/C:H) means exploitation is straightforward — no complex preconditions, no victim interaction required, and confidentiality impact is rated High. The attack bypasses a declared security control (workspaceOnly), making it a trust-boundary violation rather than a typical misconfiguration. Only 4 downstream package dependents limit ecosystem blast radius, but organizations running OpenClaw in multi-tenant or internet-exposed pipelines face meaningful exposure to host-level secrets theft. The package's history of 395 CVEs and the AIID #1368 incident involving malicious skills in the OpenClaw ecosystem elevate the realistic threat actor interest in this tool.

How does the attack unfold?

Initial Access

Attacker obtains a low-privilege OpenClaw session via a trial account, stolen credentials, or a compromised skill distributed through the ClawHub ecosystem.

AML.T0012

Tool Exploitation

Attacker invokes the image tool with crafted path arguments that traverse sandbox bridge mount boundaries, exploiting the missing workspaceOnly enforcement absent in this tool but present in other filesystem tools.

AML.T0053

Sandbox Escape

The image tool successfully reads files outside the workspace without triggering the restriction, breaking the declared trust boundary between the agent sandbox and the host filesystem.

AML.T0105

Data Exfiltration

Attacker retrieves sensitive host files — environment variables, API keys, cloud credentials, or application secrets — accessible to the OpenClaw process, completing the unauthorized data collection.

AML.T0037

Initial Access

Attacker obtains a low-privilege OpenClaw session via a trial account, stolen credentials, or a compromised skill distributed through the ClawHub ecosystem.

AML.T0012

Tool Exploitation

Attacker invokes the image tool with crafted path arguments that traverse sandbox bridge mount boundaries, exploiting the missing workspaceOnly enforcement absent in this tool but present in other filesystem tools.

AML.T0053

Sandbox Escape

The image tool successfully reads files outside the workspace without triggering the restriction, breaking the declared trust boundary between the agent sandbox and the host filesystem.

AML.T0105

Data Exfiltration

Attacker retrieves sensitive host files — environment variables, API keys, cloud credentials, or application secrets — accessible to the OpenClaw process, completing the unauthorized data collection.

AML.T0037

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 37% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

6.5 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I None

A None

What should I do?

5 steps

Patch: upgrade OpenClaw to version 2026.3.2 or apply commits ccfeecb6, 630f1479, dd9d9c1c, and 14baadda referenced in the advisory.
Interim workaround: disable the image tool in agent policy configuration or restrict it via an explicit allowlist of approved workspace paths.
Least-privilege OS hardening: run the OpenClaw process under a dedicated OS user with no read access to /etc, ~/.ssh, ~/.aws, /proc/self/environ, or application secret directories.
Detection: deploy auditd rules targeting file opens by the OpenClaw process on sensitive paths outside the workspace; alert on image tool invocations in session logs that reference non-workspace paths.
Treat this as a prompt for a broader review of all agent tool sandbox configurations, not just image tool.

How is it classified?

Data Extraction Auth Bypass Agent Plugin AML.T0037 - Data from Local System AML.T0053 - AI Agent Tool Invocation AML.T0105 - Escape to Host AML.T0107 - Exploitation for Defense Evasion

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.2 - AI system security controls

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-35658?

OpenClaw's image tool fails to enforce the workspaceOnly sandbox restriction, allowing any low-privilege session holder to traverse bridge mounts and read arbitrary host files outside the designated workspace. With network-accessible exploitation requiring no user interaction and only low privileges, the attack surface covers any deployment exposing OpenClaw agent sessions to untrusted or external users — credentials, API tokens, environment files, and secrets on the host are all in scope. EPSS data is unavailable and the vulnerability is not in CISA KEV, but the High confidentiality impact combined with a package carrying 395 historical CVEs signals an ecosystem with persistent security debt that warrants urgency. Upgrade to OpenClaw 2026.3.2 immediately; if patching is not yet possible, disable or policy-restrict the image tool in agent configurations and audit the OS-level permissions of the OpenClaw process to enforce least privilege on sensitive paths.

Is CVE-2026-35658 actively exploited?

No confirmed active exploitation of CVE-2026-35658 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-35658?

1. Patch: upgrade OpenClaw to version 2026.3.2 or apply commits ccfeecb6, 630f1479, dd9d9c1c, and 14baadda referenced in the advisory. 2. Interim workaround: disable the image tool in agent policy configuration or restrict it via an explicit allowlist of approved workspace paths. 3. Least-privilege OS hardening: run the OpenClaw process under a dedicated OS user with no read access to /etc, ~/.ssh, ~/.aws, /proc/self/environ, or application secret directories. 4. Detection: deploy auditd rules targeting file opens by the OpenClaw process on sensitive paths outside the workspace; alert on image tool invocations in session logs that reference non-workspace paths. 5. Treat this as a prompt for a broader review of all agent tool sandbox configurations, not just image tool.

What systems are affected by CVE-2026-35658?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-tenant AI platforms, AI tool orchestration pipelines.

What is the CVSS score for CVE-2026-35658?

CVE-2026-35658 has a CVSS v3.1 base score of 6.5 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

agent frameworksmulti-tenant AI platformsAI tool orchestration pipelines

MITRE ATLAS Techniques

AML.T0037 Data from Local System

AML.T0053 AI Agent Tool Invocation

AML.T0105 Escape to Host

AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.6.2

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

OpenClaw before 2026.3.2 contains a filesystem boundary bypass vulnerability in the image tool that fails to honor tools.fs.workspaceOnly restrictions. Attackers can traverse sandbox bridge mounts outside the workspace to read files that other filesystem tools would reject.

Exploitation Scenario

An adversary with a low-privilege OpenClaw account — obtained via a free trial, credential stuffing, or a compromised skill in the ClawHub ecosystem — crafts image tool requests using path sequences that traverse the sandbox bridge mount boundaries. Because the image tool lacks the workspaceOnly check applied by other filesystem tools, these requests succeed and return raw file contents from the host. The attacker iterates through /proc/self/environ for loaded environment variables, /opt/app/.env for application secrets, and ~/.aws/credentials for cloud access keys. In a multi-tenant deployment this becomes lateral movement between tenant contexts. Given that AIID #1368 documents malicious OpenClaw skills already performing credential exfiltration via ClawHub, a poisoned skill could automate this traversal silently across any connected session running a vulnerable version.

Weaknesses (CWE)

CWE-668 Exposure of Resource to Wrong Sphere

CWE-668 — Exposure of Resource to Wrong Sphere: The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Source: MITRE CWE corpus.