GHSA-6c4r-g249-wv3c: OpenClaw: sandbox leaks host workspace path to child
GHSA-6c4r-g249-wv3c MEDIUMA flaw in OpenClaw's sandboxed session-spawn feature can forward the real host workspace path (and related memory context) into a child session's prompt, breaking the isolation a sandbox is supposed to guarantee. This matters because OpenClaw is an AI agent framework with at least 4 downstream dependents and 425 other CVEs on record, so any trust-boundary bug here compounds an already-large attack surface; there's no EPSS score, no CISA KEV listing, and no public exploit or Nuclei template yet, so this reads as a disclosed-but-not-weaponized issue rather than an active threat. The real-world impact depends entirely on configuration: it only matters if the child-spawn feature is enabled and a lower-trust actor (user, plugin, or shared Gateway tenant) can reach that child session. Patch to 2026.4.26 or later; until then, avoid spawning child sessions from sensitive sandboxed workspaces and disable the feature if it isn't actively needed. Detection-wise, audit logs or child-session transcripts for host filesystem paths appearing in prompts as a sign the leak occurred pre-patch.
What is the risk?
Medium severity is appropriate: this is an information-disclosure bug (CWE-668, exposure of resource to wrong sphere), not remote code execution, and requires a specific feature (sandboxed child-session spawning) to be enabled and reachable by lower-trust input. No CVSS vector, EPSS score, KEV listing, exploit code, or scanner template exists, indicating this was responsibly disclosed rather than found via active exploitation. However, OpenClaw's role as a general-purpose AI agent framework and its history of 425 other CVEs suggest the surrounding codebase has a broad and recurring attack surface, so operators running multi-tenant or shared Gateway deployments should not treat this as low-priority.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | npm | <= 2026.4.25 | 2026.4.26 |
Do you use OpenClaw? You're affected.
How severe is it?
What should I do?
1 step-
1) Upgrade OpenClaw to 2026.4.26 or later immediately. 2) Until patched, avoid spawning child sessions from sandboxed workspaces that contain sensitive data or paths. 3) Keep channel and tool allowlists narrow to limit which actors can trigger child-session spawns. 4) Do not share a single Gateway between mutually untrusted users/tenants. 5) Disable the child-session-spawn feature entirely if it is not required. 6) For detection, review logs/transcripts of child sessions for unexpected host filesystem paths or workspace metadata appearing in prompts.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-6c4r-g249-wv3c?
A flaw in OpenClaw's sandboxed session-spawn feature can forward the real host workspace path (and related memory context) into a child session's prompt, breaking the isolation a sandbox is supposed to guarantee. This matters because OpenClaw is an AI agent framework with at least 4 downstream dependents and 425 other CVEs on record, so any trust-boundary bug here compounds an already-large attack surface; there's no EPSS score, no CISA KEV listing, and no public exploit or Nuclei template yet, so this reads as a disclosed-but-not-weaponized issue rather than an active threat. The real-world impact depends entirely on configuration: it only matters if the child-spawn feature is enabled and a lower-trust actor (user, plugin, or shared Gateway tenant) can reach that child session. Patch to 2026.4.26 or later; until then, avoid spawning child sessions from sensitive sandboxed workspaces and disable the feature if it isn't actively needed. Detection-wise, audit logs or child-session transcripts for host filesystem paths appearing in prompts as a sign the leak occurred pre-patch.
Is GHSA-6c4r-g249-wv3c actively exploited?
No confirmed active exploitation of GHSA-6c4r-g249-wv3c has been reported, but organizations should still patch proactively.
How to fix GHSA-6c4r-g249-wv3c?
1) Upgrade OpenClaw to 2026.4.26 or later immediately. 2) Until patched, avoid spawning child sessions from sandboxed workspaces that contain sensitive data or paths. 3) Keep channel and tool allowlists narrow to limit which actors can trigger child-session spawns. 4) Do not share a single Gateway between mutually untrusted users/tenants. 5) Disable the child-session-spawn feature entirely if it is not required. 6) For detection, review logs/transcripts of child sessions for unexpected host filesystem paths or workspace metadata appearing in prompts.
What systems are affected by GHSA-6c4r-g249-wv3c?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-agent orchestration, sandboxed execution environments.
What is the CVSS score for GHSA-6c4r-g249-wv3c?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0037 Data from Local System AML.T0084 Discover AI Agent Configuration Compliance Controls Affected
What are the technical details?
Original Advisory
### Summary Sandboxed session spawn could expose the real workspace path to child prompts. In affected versions, a child session spawned from a sandboxed parent could forward the host workspace path into the child session prompt. This advisory is scoped to the named feature and configuration. It does not change OpenClaw's trusted-operator model: authenticated Gateway operators, installed plugins, and intentional local execution surfaces remain trusted unless a separate policy, approval, allowlist, sandbox, or auth boundary is crossed. ### Impact When the affected feature is enabled and reachable, this could reveal host workspace location or related memory context to the child model. Practical impact depends on the operator's configuration and whether lower-trust input can reach that path. ### Patched Versions The first stable patched version is `2026.4.26`. ### Mitigations avoid spawning child sessions from sensitive sandboxed workspaces until patched. As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.
Exploitation Scenario
An operator runs OpenClaw with sandboxed agent sessions shared across multiple users or tenants on one Gateway. A parent session (sandboxed, trusted) spawns a child session to handle a sub-task, and the affected version forwards the real host workspace path into that child's prompt. A lower-trust actor who can interact with or read output from that child session — for example another tenant, a less-trusted plugin, or downstream tool invocation — now learns the host's real filesystem layout and workspace context. This information alone isn't code execution, but it gives the adversary reconnaissance data (real paths, project structure) that can be chained with other bugs (e.g., a path-traversal or file-access flaw elsewhere in the 425 other OpenClaw CVEs) to escalate further.
Weaknesses (CWE)
CWE-668 — Exposure of Resource to Wrong Sphere: The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 OpenClaw: scope bypass escalates low-priv to admin
Same package: openclaw CVE-2026-32922 9.9 OpenClaw: privilege escalation to RCE via token scope bypass
Same package: openclaw CVE-2026-32038 9.8 OpenClaw: sandbox bypass enables container lateral movement
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw