CVE-2026-27522 Overview
OpenClaw versions prior to 2026.2.24 contain a local media root bypass vulnerability (CWE-22: Path Traversal) in the sendAttachment and setGroupIcon message actions when sandboxRoot is unset. This vulnerability allows attackers to hydrate media from local absolute paths, enabling them to read arbitrary host files accessible by the runtime user.
Critical Impact
Attackers with low-level privileges can exploit this path traversal vulnerability to access sensitive files on the host system, potentially exposing configuration files, credentials, API keys, and other confidential data accessible to the OpenClaw runtime user.
Affected Products
- OpenClaw versions prior to 2026.2.24
- OpenClaw for Node.js (all affected versions)
Discovery Timeline
- 2026-03-18 - CVE-2026-27522 published to NVD
- 2026-03-18 - Last updated in NVD database
Technical Details for CVE-2026-27522
Vulnerability Analysis
This vulnerability is a classic path traversal issue that occurs due to insufficient validation of file paths in the OpenClaw message handling system. When users invoke the sendAttachment or setGroupIcon message actions, the application fails to properly enforce media root boundaries when the sandboxRoot configuration is not explicitly set.
The vulnerability allows authenticated users to bypass intended directory restrictions by providing absolute file paths instead of relative paths within the expected media directories. This enables attackers to "hydrate" (load and access) media files from arbitrary locations on the host file system, limited only by the file permissions of the runtime user account.
The network-accessible nature of the vulnerability combined with low attack complexity makes it particularly concerning for deployments exposed to untrusted users or networks.
Root Cause
The root cause lies in the missing validation of local media root paths during attachment hydration. The application's message-action-params.ts and message-action-runner.ts components did not enforce sandboxRoot and mediaLocalRoots restrictions when processing file paths for attachments and group icons. Without these constraints, the application accepted absolute paths that could traverse outside the intended media directory structure.
Attack Vector
The attack vector is network-based, requiring an authenticated user with low privileges. The attacker can exploit this vulnerability through the following mechanism:
- The attacker authenticates to the OpenClaw application with minimal privileges
- The attacker crafts a malicious request to either sendAttachment or setGroupIcon message actions
- Instead of providing a relative path within the expected media directory, the attacker supplies an absolute path (e.g., /etc/passwd or application configuration files)
- Due to the missing sandboxRoot enforcement, the application loads the requested file
- The file contents are returned to the attacker as media content
The security patch introduces proper enforcement of local media root checks:
contentTypeParam?: string | null;
mediaHint?: string | null;
fileHint?: string | null;
+ sandboxRoot?: string;
+ mediaLocalRoots?: readonly string[];
}) {
const contentTypeParam = params.contentTypeParam ?? undefined;
const rawBuffer = readStringParam(params.args, "buffer", { trim: false });
Source: GitHub Commit Update
The fix also adds proper import and integration of media local root validation:
ChannelThreadingToolContext,
} from "../../channels/plugins/types.js";
import type { OpenClawConfig } from "../../config/config.js";
+import { getAgentScopedMediaLocalRoots } from "../../media/local-roots.js";
import {
isDeliverableMessageChannel,
normalizeMessageChannel,
Source: GitHub Commit Update
Detection Methods for CVE-2026-27522
Indicators of Compromise
- Unusual file access patterns by the OpenClaw process accessing files outside designated media directories
- Log entries showing absolute paths in sendAttachment or setGroupIcon requests
- Access attempts to sensitive system files such as /etc/passwd, /etc/shadow, or application configuration files
- Anomalous outbound data transfers containing sensitive file content through message attachments
Detection Strategies
- Monitor application logs for path traversal sequences (e.g., ../) or absolute path references in message action parameters
- Implement file integrity monitoring on sensitive configuration files to detect unauthorized read access
- Deploy network-level inspection to identify exfiltration of sensitive file content through message attachments
- Review audit logs for patterns of systematic file enumeration attempts
Monitoring Recommendations
- Enable verbose logging for all message action handlers in OpenClaw
- Configure alerts for file access operations outside the expected media root directories
- Implement runtime application monitoring to detect abnormal file system access patterns
- Monitor for reconnaissance activity targeting sensitive files commonly targeted in path traversal attacks
How to Mitigate CVE-2026-27522
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.24 or later immediately
- Audit application logs for any evidence of exploitation attempts
- Review file access permissions for the OpenClaw runtime user account to minimize exposed sensitive files
- Explicitly configure sandboxRoot even on patched versions as a defense-in-depth measure
Patch Information
The vulnerability has been addressed in OpenClaw version 2026.2.24. The patch introduces proper enforcement of local media root checks through the addition of sandboxRoot and mediaLocalRoots parameters in the message action handling code. The fix ensures that attachment hydration operations are constrained to designated media directories.
For detailed patch information, see the GitHub Security Advisory GHSA-fqcm-97m6-w7rm and the GitHub Commit Update.
Workarounds
- Configure sandboxRoot explicitly in your OpenClaw configuration to enforce media directory boundaries
- Implement network segmentation to limit access to OpenClaw instances from untrusted networks
- Run OpenClaw with a dedicated service account having minimal file system permissions
- Deploy a Web Application Firewall (WAF) with path traversal detection rules
# Configuration example - Ensure sandboxRoot is explicitly set in OpenClaw config
# openclaw.config.js or equivalent configuration file
export OPENCLAW_SANDBOX_ROOT="/var/lib/openclaw/media"
export OPENCLAW_MEDIA_LOCAL_ROOTS="/var/lib/openclaw/media/attachments,/var/lib/openclaw/media/icons"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
