Update OpenClaw to 2026.3.24 immediately if running multi-agent deployments. This flaw lets any sandboxed agent read API keys, secrets, and session data from other agents' workspaces by exploiting an incomplete parameter allowlist — completely defeating multi-agent isolation. Until patched, disable channel plugin media functionality or isolate agents on separate hosts.
What is the risk?
High severity (CVSS 7.7) with low exploit complexity — any authenticated agent user can trigger the bypass without user interaction. The scope change (S:C) reflects cross-agent boundary violation. Real-world risk likely exceeds CVSS score: stolen API keys from agent workspaces can cascade into full service compromise. Most exposed are production multi-agent deployments using Discord, Telegram, Slack, Matrix, or Twitch channel plugins.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | npm | < 2026.3.24 | 2026.3.24 |
Do you use OpenClaw? You're affected.
How severe is it?
What is the attack surface?
What should I do?
4 steps-
PATCH
Upgrade to OpenClaw 2026.3.24 — the only complete fix.
-
WORKAROUND if unable to patch immediately: disable channel plugin media attachment handling or run each agent in a fully isolated container with no shared filesystem.
-
DETECTION
Audit logs for message tool calls containing 'mediaUrl' or 'fileUrl' parameters pointing outside the calling agent's sandbox root (any path not prefixed by the agent's designated workspace).
-
POST-INCIDENT: Rotate all API keys and credentials stored in OpenClaw agent workspaces as a precaution, even absent confirmed breach.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-hr5v-j9h9-xjhg?
Update OpenClaw to 2026.3.24 immediately if running multi-agent deployments. This flaw lets any sandboxed agent read API keys, secrets, and session data from other agents' workspaces by exploiting an incomplete parameter allowlist — completely defeating multi-agent isolation. Until patched, disable channel plugin media functionality or isolate agents on separate hosts.
Is GHSA-hr5v-j9h9-xjhg actively exploited?
No confirmed active exploitation of GHSA-hr5v-j9h9-xjhg has been reported, but organizations should still patch proactively.
How to fix GHSA-hr5v-j9h9-xjhg?
1. PATCH: Upgrade to OpenClaw 2026.3.24 — the only complete fix. 2. WORKAROUND if unable to patch immediately: disable channel plugin media attachment handling or run each agent in a fully isolated container with no shared filesystem. 3. DETECTION: Audit logs for message tool calls containing 'mediaUrl' or 'fileUrl' parameters pointing outside the calling agent's sandbox root (any path not prefixed by the agent's designated workspace). 4. POST-INCIDENT: Rotate all API keys and credentials stored in OpenClaw agent workspaces as a precaution, even absent confirmed breach.
What systems are affected by GHSA-hr5v-j9h9-xjhg?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-agent systems, plugin architectures, AI chatbot platforms.
What is the CVSS score for GHSA-hr5v-j9h9-xjhg?
GHSA-hr5v-j9h9-xjhg has a CVSS v3.1 base score of 7.7 (HIGH).
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0037 Data from Local System AML.T0051.000 Direct AML.T0053 AI Agent Tool Invocation AML.T0083 Credentials from AI Agent Configuration AML.T0105 Escape to Host Compliance Controls Affected
What are the technical details?
Original Advisory
> Fixed in OpenClaw 2026.3.24, the current shipping release. ### Advisory Details **Title**: Sandbox Media Root Bypass via Unnormalized `mediaUrl` / `fileUrl` Parameter Keys (CWE-22) **Description**: ### Summary A path traversal vulnerability in the agent sandbox enforcement allows a sandboxed agent to read arbitrary files from other agents' workspaces by using the `mediaUrl` or `fileUrl` parameter key in message tool calls. The `normalizeSandboxMediaParams` function only checks `["media", "path", "filePath"]` keys, while `mediaUrl` and `fileUrl` escape normalization entirely. Combined with `handlePluginAction` dropping `mediaLocalRoots` from the dispatch context, this enables a full sandbox escape where any agent can read files outside its designated sandbox root. ### Details The vulnerability exists in two files within the messaging pipeline: **1. Incomplete parameter key coverage in `normalizeSandboxMediaParams`:** In `src/infra/outbound/message-action-params.ts`, the function iterates over a hardcoded allowlist of parameter keys to validate: ```typescript // Line 212 const mediaKeys: Array<"media" | "path" | "filePath"> = ["media", "path", "filePath"]; ``` The `mediaUrl` and `fileUrl` parameter keys are not included in this array. These keys are actively used by multiple channel extensions (Discord, Telegram, Slack, Matrix, Twitch) for media attachment handling, but they completely bypass the sandbox path validation performed by `resolveSandboxedMediaSource`. **2. Dropped `mediaLocalRoots` in `handlePluginAction`:** In `src/infra/outbound/message-action-runner.ts`, the `handlePluginAction` function dispatches actions to channel plugins but omits `mediaLocalRoots` from the context: ```typescript // Lines 684-697 const handled = await dispatchChannelMessageAction({ channel, action, cfg, params, accountId: accountId ?? undefined, requesterSenderId: input.requesterSenderId ?? undefined, sessionKey: input.sessionKey, sessionId: input.sessionId, agentId, gateway, toolContext: input.toolContext, dryRun, // mediaLocalRoots is MISSING here }); ``` Despite `ChannelMessageActionContext` defining `mediaLocalRoots?: readonly string[]` (in `src/channels/plugins/types.core.ts` line 478), plugins receive `undefined` and fall back to `getDefaultMediaLocalRoots()`, which permits reads of the entire `~/.openclaw/` directory tree — including all agents' workspaces. **Attack chain:** 1. A sandboxed agent (Agent-A at `~/.openclaw/workspace/agent-a/`) calls the message tool with `{ mediaUrl: "~/.openclaw/workspace/agent-b/secret.txt" }` 2. `normalizeSandboxMediaParams` skips the `mediaUrl` key (not in allowlist) 3. `handlePluginAction` dispatches without `mediaLocalRoots` 4. Plugin calls `loadWebMedia` with default roots, which allows `~/.openclaw/workspace/**` 5. Agent-B's secret file content is read and sent as a channel attachment ### PoC **Prerequisites:** - Docker installed - OpenClaw Docker image built (`openclaw-gateway:latest`) **Steps:** 1. Start the vulnerable gateway container: ```bash cd llm-enhance/cve-finding/Path_Traversal/CVE-2026-27522-Media_Root_Bypass-variant-exp/ docker compose up -d sleep 5 ``` 2. Run the exploit: ```bash python3 poc_exploit.py ``` 3. The exploit writes a secret file to `~/.openclaw/workspace/agent-b/secret_key.txt` inside the container, then invokes `normalizeSandboxMediaParams` with Agent-A's sandbox policy and `{ mediaUrl: <agent-b-secret-path> }`. The `mediaUrl` key bypasses normalization, and `loadWebMedia` reads the file successfully. 4. Run the control experiment to confirm sandbox works for checked keys: ```bash python3 control-sandbox_enforced.py ``` ### Log of Evidence **Exploit output:** ``` === CVE-2026-27522 Variant: Sandbox Media Root Bypass === [*] Container 'openclaw-media-bypass-test' is running [*] Running exploit script with Bun... [VULNERABLE] mediaUrl bypassed normalizeSandboxMediaParams! Agent-A sandboxRoot: /root/.openclaw/workspace/agent-a mediaUrl targets Agent-B: /root/.openclaw/workspace/agent-b/secret_key.txt args after normalization: {"mediaUrl":"/root/.openclaw/workspace/agent-b/secret_key.txt"} [EXPLOITED] Agent-B secret file content: AGENT-B-SECRET-API-KEY-sk-12345abcdef === EXPLOIT SUCCESSFUL === Agent-A read Agent-B's secret file via mediaUrl, bypassing sandbox. [+] RESULT: VULNERABLE — mediaUrl bypasses sandbox enforcement ``` **Control experiment output:** ``` === Control Experiment: Sandbox Enforcement for 'media' Key === [*] Container 'openclaw-media-bypass-test' is running [*] Running control script with Bun... [SAFE] normalizeSandboxMediaParams blocked 'media' key as expected! Error: Path escapes sandbox root (/tmp/sandbox-ZKvGQX): /tmp/victim-2cuAOO/secret.txt === CONTROL EXPERIMENT PASSED === The 'media' parameter IS correctly checked by sandbox enforcement. Only unchecked keys (mediaUrl, fileUrl) bypass the sandbox. [+] CONTROL PASSED: 'media' key is correctly enforced by sandbox ``` ### Impact This is a **sandbox escape** vulnerability. An attacker who can influence an agent's tool calls (via prompt injection, multi-agent interaction, or malicious plugin instruction) can read arbitrary files from other agents' workspaces. This includes: - API keys and secrets stored in other agents' sandboxes - Session data and conversation logs - Configuration files with sensitive credentials - Any file within the `~/.openclaw/` directory tree This completely defeats the purpose of the multi-agent sandbox isolation feature, which is documented as a security boundary in the project's Docker and sandboxing documentation. ### Affected products - **Ecosystem**: npm - **Package name**: openclaw - **Affected versions**: <= 2026.3.14 (current latest) - **Patched versions**: <None> ### Severity - **Severity**: High - **Vector string**: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N ### Weaknesses - **CWE**: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') ### Occurrences | Permalink | Description | | :--- | :--- | | [https://github.com/moltbot/moltbot/blob/main/src/infra/outbound/message-action-params.ts#L206-L227](https://github.com/moltbot/moltbot/blob/main/src/infra/outbound/message-action-params.ts#L206-L227) | The `normalizeSandboxMediaParams` function with incomplete `mediaKeys` allowlist — `mediaUrl` and `fileUrl` are not checked. | | [https://github.com/moltbot/moltbot/blob/main/src/infra/outbound/message-action-runner.ts#L684-L697](https://github.com/moltbot/moltbot/blob/main/src/infra/outbound/message-action-runner.ts#L684-L697) | The `handlePluginAction` dispatch call that omits `mediaLocalRoots` from the context passed to `dispatchChannelMessageAction`. | | [https://github.com/moltbot/moltbot/blob/main/src/channels/plugins/types.core.ts#L478](https://github.com/moltbot/moltbot/blob/main/src/channels/plugins/types.core.ts#L478) | The `ChannelMessageActionContext` type that defines `mediaLocalRoots` but never receives it from `handlePluginAction`. |
Exploitation Scenario
An attacker with control over one sandboxed agent — achieved via prompt injection into an agent processing external input, or through compromised agent instructions — crafts a message tool call with { mediaUrl: '~/.openclaw/workspace/target-agent/secrets.env' }. The normalizeSandboxMediaParams function skips mediaUrl since it is absent from its hardcoded allowlist, and handlePluginAction dispatches without mediaLocalRoots, causing the plugin to fall back to default roots covering the entire ~/.openclaw/ tree. The target agent's secrets file is read and transmitted as a channel media attachment to an attacker-controlled endpoint. No elevated privileges required — any low-privileged agent can pivot to read all co-hosted agents' data.
Weaknesses (CWE)
CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
- [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
- [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N References
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 OpenClaw: scope bypass escalates low-priv to admin
Same package: openclaw CVE-2026-32922 9.9 OpenClaw: privilege escalation to RCE via token scope bypass
Same package: openclaw CVE-2026-32038 9.8 OpenClaw: sandbox bypass enables container lateral movement
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw