CVE-2026-35668: OpenClaw sandbox path traversal

CISO Take

OpenClaw before 2026.3.24 contains a path traversal flaw in its sandbox enforcement layer that allows a sandboxed agent to read arbitrary files from other agents' workspaces by submitting unnormalized mediaUrl or fileUrl parameters—bypassing the intended isolation boundary. The scope change (S:C in the CVSS 7.7 vector) is the key concern: a single compromised or malicious agent can pivot to exfiltrate API keys and configuration data belonging to co-hosted agents, collapsing the trust boundary of the entire multi-agent deployment. The attack requires only low privileges and no user interaction, making it trivially exploitable for any agent with legitimate access to the framework. No public exploit or active exploitation is confirmed, and only 4 downstream packages depend on OpenClaw, which bounds aggregate blast radius—but the credential theft risk in multi-agent environments is high-consequence in any production deployment. Upgrade to OpenClaw ≥2026.3.24 immediately and rotate any secrets stored in agent workspaces on vulnerable installations.

Sources: NVD GitHub Advisory VulnCheck ATLAS

What is the risk?

CVSS 7.7 High with Scope:Changed is the defining risk signal—cross-agent sandbox escape in an orchestrated environment is categorically different from a single-system path traversal. Low attack complexity and no user interaction mean exploitation requires no specialized skill beyond crafting a path traversal string. No EPSS data, no CISA KEV listing, and absence of public exploits reduce urgency, but the vulnerability class—sandbox escape enabling cross-agent credential theft—is high-consequence wherever OpenClaw agents share a host filesystem with secrets in their workspaces. Limited downstream ecosystem (4 dependents) bounds total exposure surface.

How does the attack unfold?

Initial Access

Adversary obtains low-privilege access to a sandboxed OpenClaw agent, either by compromising an existing agent or deploying a malicious agent into a shared multi-agent environment.

AML.T0053

Exploitation

Attacker crafts unnormalized mediaUrl or fileUrl values containing path traversal sequences that bypass the incomplete validation in normalizeSandboxMediaParams due to missing mediaLocalRoots context.

AML.T0049

Collection

The traversed path resolves outside the sandbox root, enabling the agent to read arbitrary files from other agents' workspaces including .env files, API keys, and service configuration data.

AML.T0037

Impact

Exfiltrated credentials enable lateral movement to external AI services or downstream systems, collapsing trust boundaries across the entire multi-agent deployment.

AML.T0083

Initial Access

Adversary obtains low-privilege access to a sandboxed OpenClaw agent, either by compromising an existing agent or deploying a malicious agent into a shared multi-agent environment.

AML.T0053

Exploitation

Attacker crafts unnormalized mediaUrl or fileUrl values containing path traversal sequences that bypass the incomplete validation in normalizeSandboxMediaParams due to missing mediaLocalRoots context.

AML.T0049

Collection

The traversed path resolves outside the sandbox root, enabling the agent to read arbitrary files from other agents' workspaces including .env files, API keys, and service configuration data.

AML.T0037

Impact

Exfiltrated credentials enable lateral movement to external AI services or downstream systems, collapsing trust boundaries across the entire multi-agent deployment.

AML.T0083

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	pip	—	No patch
4 dependents 37% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

7.7 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Changed

C High

I None

A None

What should I do?

5 steps

Patch: Upgrade OpenClaw to ≥2026.3.24—this is the only confirmed fix addressing normalizeSandboxMediaParams validation and mediaLocalRoots context enforcement.
Workaround (until patched): Enforce sandbox boundaries independently via OS-level controls—chroot jails, Docker namespaces, or seccomp profiles—to prevent cross-workspace filesystem access at the kernel level.
Rotate credentials: Treat any API keys, tokens, or secrets stored in agent workspace directories as potentially compromised if running a vulnerable OpenClaw version in a multi-agent deployment.
Detection: Audit filesystem access logs for reads outside expected agent workspace roots; alert on any process accessing sibling workspace paths.
Input validation: Reject or canonicalize any user-supplied mediaUrl or fileUrl values before passing to OpenClaw APIs as a defense-in-depth layer.

How is it classified?

Data Extraction Auth Bypass Agent Framework AML.T0037 - Data from Local System AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration AML.T0105 - Escape to Host

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.3 - Data protection in AI systems

NIST AI RMF

GOVERN 1.7 - Processes for AI risk management

OWASP LLM Top 10

LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-35668?

OpenClaw before 2026.3.24 contains a path traversal flaw in its sandbox enforcement layer that allows a sandboxed agent to read arbitrary files from other agents' workspaces by submitting unnormalized mediaUrl or fileUrl parameters—bypassing the intended isolation boundary. The scope change (S:C in the CVSS 7.7 vector) is the key concern: a single compromised or malicious agent can pivot to exfiltrate API keys and configuration data belonging to co-hosted agents, collapsing the trust boundary of the entire multi-agent deployment. The attack requires only low privileges and no user interaction, making it trivially exploitable for any agent with legitimate access to the framework. No public exploit or active exploitation is confirmed, and only 4 downstream packages depend on OpenClaw, which bounds aggregate blast radius—but the credential theft risk in multi-agent environments is high-consequence in any production deployment. Upgrade to OpenClaw ≥2026.3.24 immediately and rotate any secrets stored in agent workspaces on vulnerable installations.

Is CVE-2026-35668 actively exploited?

No confirmed active exploitation of CVE-2026-35668 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-35668?

1. Patch: Upgrade OpenClaw to ≥2026.3.24—this is the only confirmed fix addressing normalizeSandboxMediaParams validation and mediaLocalRoots context enforcement. 2. Workaround (until patched): Enforce sandbox boundaries independently via OS-level controls—chroot jails, Docker namespaces, or seccomp profiles—to prevent cross-workspace filesystem access at the kernel level. 3. Rotate credentials: Treat any API keys, tokens, or secrets stored in agent workspace directories as potentially compromised if running a vulnerable OpenClaw version in a multi-agent deployment. 4. Detection: Audit filesystem access logs for reads outside expected agent workspace roots; alert on any process accessing sibling workspace paths. 5. Input validation: Reject or canonicalize any user-supplied mediaUrl or fileUrl values before passing to OpenClaw APIs as a defense-in-depth layer.

What systems are affected by CVE-2026-35668?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-agent orchestration, AI pipeline automation.

What is the CVSS score for CVE-2026-35668?

CVE-2026-35668 has a CVSS v3.1 base score of 7.7 (HIGH).

What is the AI security impact?

Affected AI Architectures

agent frameworksmulti-agent orchestrationAI pipeline automation

MITRE ATLAS Techniques

AML.T0037 Data from Local System

AML.T0053 AI Agent Tool Invocation

AML.T0055 Unsecured Credentials

AML.T0083 Credentials from AI Agent Configuration

AML.T0105 Escape to Host

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.3

NIST AI RMF: GOVERN 1.7

OWASP LLM Top 10: LLM08

What are the technical details?

Original Advisory

OpenClaw before 2026.3.24 contains a path traversal vulnerability in sandbox enforcement allowing sandboxed agents to read arbitrary files from other agents' workspaces via unnormalized mediaUrl or fileUrl parameter keys. Attackers can exploit incomplete parameter validation in normalizeSandboxMediaParams and missing mediaLocalRoots context to access sensitive files including API keys and configuration data outside designated sandbox roots.

Exploitation Scenario

An adversary deploys or compromises a sandboxed OpenClaw agent within a shared multi-agent deployment. They craft a mediaUrl parameter containing unnormalized path traversal sequences—for example, `../../../../other-agent-workspace/.env`—and submit it through the agent's media handling interface. The vulnerable normalizeSandboxMediaParams function fails to resolve the traversal because the mediaLocalRoots context required for proper root-anchoring is absent from the validation call. The request escapes the sandbox root and the agent reads the target file, returning API keys for the victim agent's LLM provider or downstream service integrations. The attacker then uses the exfiltrated credentials to impersonate the victim agent's identity against external services or to pivot laterally across the entire multi-agent deployment.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.