GHSA-6c4r-g249-wv3c: OpenClaw: sandbox leaks host workspace path to child

GHSA-6c4r-g249-wv3c MEDIUM
Published July 2, 2026
CISO Take

A flaw in OpenClaw's sandboxed session-spawn feature can forward the real host workspace path (and related memory context) into a child session's prompt, breaking the isolation a sandbox is supposed to guarantee. This matters because OpenClaw is an AI agent framework with at least 4 downstream dependents and 425 other CVEs on record, so any trust-boundary bug here compounds an already-large attack surface; there's no EPSS score, no CISA KEV listing, and no public exploit or Nuclei template yet, so this reads as a disclosed-but-not-weaponized issue rather than an active threat. The real-world impact depends entirely on configuration: it only matters if the child-spawn feature is enabled and a lower-trust actor (user, plugin, or shared Gateway tenant) can reach that child session. Patch to 2026.4.26 or later; until then, avoid spawning child sessions from sensitive sandboxed workspaces and disable the feature if it isn't actively needed. Detection-wise, audit logs or child-session transcripts for host filesystem paths appearing in prompts as a sign the leak occurred pre-patch.

Sources: GitHub Advisory ATLAS

What is the risk?

Medium severity is appropriate: this is an information-disclosure bug (CWE-668, exposure of resource to wrong sphere), not remote code execution, and requires a specific feature (sandboxed child-session spawning) to be enabled and reachable by lower-trust input. No CVSS vector, EPSS score, KEV listing, exploit code, or scanner template exists, indicating this was responsibly disclosed rather than found via active exploitation. However, OpenClaw's role as a general-purpose AI agent framework and its history of 425 other CVEs suggest the surrounding codebase has a broad and recurring attack surface, so operators running multi-tenant or shared Gateway deployments should not treat this as low-priority.

How does the attack unfold?

Precondition
Operator has the sandboxed child-session-spawn feature enabled and reachable, with a shared Gateway or lower-trust actor able to interact with spawned child sessions.
AML.T0084
Trigger
A parent session running in a sandbox spawns a child session, and the affected code forwards the real host workspace path and related memory context into the child's prompt.
Exposure
The lower-trust actor with access to the child session's context reads the disclosed host workspace path and memory context.
AML.T0037
Impact
Adversary uses the disclosed filesystem/workspace information as reconnaissance to inform further targeting of the host environment or chain with other vulnerabilities.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw npm <= 2026.4.25 2026.4.26
4 dependents 41% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

What should I do?

1 step
  1. 1) Upgrade OpenClaw to 2026.4.26 or later immediately. 2) Until patched, avoid spawning child sessions from sandboxed workspaces that contain sensitive data or paths. 3) Keep channel and tool allowlists narrow to limit which actors can trigger child-session spawns. 4) Do not share a single Gateway between mutually untrusted users/tenants. 5) Disable the child-session-spawn feature entirely if it is not required. 6) For detection, review logs/transcripts of child sessions for unexpected host filesystem paths or workspace metadata appearing in prompts.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

NIST AI RMF
MEASURE 2.7 - AI system security and resilience are evaluated and documented
OWASP LLM Top 10
LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is GHSA-6c4r-g249-wv3c?

A flaw in OpenClaw's sandboxed session-spawn feature can forward the real host workspace path (and related memory context) into a child session's prompt, breaking the isolation a sandbox is supposed to guarantee. This matters because OpenClaw is an AI agent framework with at least 4 downstream dependents and 425 other CVEs on record, so any trust-boundary bug here compounds an already-large attack surface; there's no EPSS score, no CISA KEV listing, and no public exploit or Nuclei template yet, so this reads as a disclosed-but-not-weaponized issue rather than an active threat. The real-world impact depends entirely on configuration: it only matters if the child-spawn feature is enabled and a lower-trust actor (user, plugin, or shared Gateway tenant) can reach that child session. Patch to 2026.4.26 or later; until then, avoid spawning child sessions from sensitive sandboxed workspaces and disable the feature if it isn't actively needed. Detection-wise, audit logs or child-session transcripts for host filesystem paths appearing in prompts as a sign the leak occurred pre-patch.

Is GHSA-6c4r-g249-wv3c actively exploited?

No confirmed active exploitation of GHSA-6c4r-g249-wv3c has been reported, but organizations should still patch proactively.

How to fix GHSA-6c4r-g249-wv3c?

1) Upgrade OpenClaw to 2026.4.26 or later immediately. 2) Until patched, avoid spawning child sessions from sandboxed workspaces that contain sensitive data or paths. 3) Keep channel and tool allowlists narrow to limit which actors can trigger child-session spawns. 4) Do not share a single Gateway between mutually untrusted users/tenants. 5) Disable the child-session-spawn feature entirely if it is not required. 6) For detection, review logs/transcripts of child sessions for unexpected host filesystem paths or workspace metadata appearing in prompts.

What systems are affected by GHSA-6c4r-g249-wv3c?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-agent orchestration, sandboxed execution environments.

What is the CVSS score for GHSA-6c4r-g249-wv3c?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksmulti-agent orchestrationsandboxed execution environments

MITRE ATLAS Techniques

AML.T0037 Data from Local System
AML.T0084 Discover AI Agent Configuration

Compliance Controls Affected

NIST AI RMF: MEASURE 2.7
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

### Summary Sandboxed session spawn could expose the real workspace path to child prompts. In affected versions, a child session spawned from a sandboxed parent could forward the host workspace path into the child session prompt. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. ### Impact When the affected feature is enabled and reachable, this could reveal host workspace location or related memory context to the child model. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. ### Patched Versions The first stable patched version is `2026.4.26`. ### Mitigations avoid spawning child sessions from sensitive sandboxed workspaces until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.

Exploitation Scenario

An operator runs OpenClaw with sandboxed agent sessions shared across multiple users or tenants on one Gateway. A parent session (sandboxed, trusted) spawns a child session to handle a sub-task, and the affected version forwards the real host workspace path into that child's prompt. A lower-trust actor who can interact with or read output from that child session — for example another tenant, a less-trusted plugin, or downstream tool invocation — now learns the host's real filesystem layout and workspace context. This information alone isn't code execution, but it gives the adversary reconnaissance data (real paths, project structure) that can be chained with other bugs (e.g., a path-traversal or file-access flaw elsewhere in the 425 other OpenClaw CVEs) to escalate further.

Weaknesses (CWE)

CWE-668 — Exposure of Resource to Wrong Sphere: The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Source: MITRE CWE corpus.

Timeline

Published
July 2, 2026
Last Modified
July 2, 2026
First Seen
July 2, 2026

Related Vulnerabilities