CVE-2026-33581: Openclaw Path Traversal Vulnerability

CVE-2026-33581 Overview

CVE-2026-33581 is a sandbox bypass vulnerability in OpenClaw before version 2026.3.24 that allows attackers to read arbitrary local files. The vulnerability exists in the message tool component, where mediaUrl and fileUrl alias parameters can be used to bypass localRoots validation. Remote attackers can exploit this path traversal flaw by routing file requests through unvalidated alias parameters to access files outside the intended sandbox directory.

Critical Impact

Remote attackers with low privileges can bypass sandbox restrictions to read arbitrary files from the server, potentially exposing sensitive configuration files, credentials, and application data.

Affected Products

• OpenClaw versions prior to 2026.3.24
• OpenClaw Node.js installations with message tool functionality enabled
• Systems using mediaUrl or fileUrl parameters in message actions

Discovery Timeline

• 2026-03-31 - CVE-2026-33581 published to NVD
• 2026-04-01 - Last updated in NVD database

Technical Details for CVE-2026-33581

Vulnerability Analysis

This vulnerability is classified as CWE-22 (Path Traversal), a class of security flaws that occur when user-controllable input is used to construct file system paths without proper validation. In OpenClaw, the message tool provides functionality to handle media and file attachments, which requires reading files from designated sandbox directories controlled by localRoots configuration.

The core issue stems from incomplete parameter validation in the message action handling code. While the primary media and path parameters were subject to sandbox validation through localRoots, the alias parameters mediaUrl and fileUrl were not included in this security check. This oversight created an alternative pathway for file access that completely bypassed the intended sandboxing mechanism.

When an attacker supplies a malicious file path via the mediaUrl or fileUrl parameters instead of the validated media or path parameters, the application processes the request without confirming that the requested file resides within the allowed localRoots directories. This enables reading of arbitrary files accessible to the OpenClaw process, including system configuration files, environment files containing secrets, and other sensitive application data.

Root Cause

The root cause of this vulnerability is incomplete input validation for file path parameters in the message action component. The localRoots validation logic was not applied to all parameter variations that could specify file paths, specifically missing coverage for the mediaUrl and fileUrl alias parameters. This represents a common vulnerability pattern where developers secure primary input channels but overlook alternative parameter names that provide equivalent functionality.

Attack Vector

The attack vector is network-based, requiring only low-privilege authentication to exploit. An attacker can craft malicious requests to the message tool endpoint, substituting the validated media or path parameters with the unvalidated mediaUrl or fileUrl aliases. By specifying paths such as ../../etc/passwd or absolute paths to sensitive files, the attacker can read arbitrary files from the server's file system.

The following patch demonstrates the security fix implemented in src/infra/outbound/message-action-params.ts:

 
export const readBooleanParam = readBooleanParamShared;
 
+const SANDBOX_MEDIA_PARAM_KEYS = ["media", "path", "filePath", "mediaUrl", "fileUrl"] as const;
+
+function readMediaParam(
+  args: Record<string, unknown>,
+  key: (typeof SANDBOX_MEDIA_PARAM_KEYS)[number],
+): string | undefined {
+  return readStringParam(args, key, { trim: false });
+}
+
+function readAttachmentMediaHint(args: Record<string, unknown>): string | undefined {
+  return readMediaParam(args, "media") ?? readMediaParam(args, "mediaUrl");
+}
+
+function readAttachmentFileHint(args: Record<string, unknown>): string | undefined {
+  return (
+    readMediaParam(args, "path") ??
+    readMediaParam(args, "filePath") ??
+    readMediaParam(args, "fileUrl")
+  );
+}
+
function resolveAttachmentMaxBytes(params: {
  cfg: OpenClawConfig;
  channel: ChannelId;

Source: GitHub Commit

The fix consolidates all media-related parameter names into SANDBOX_MEDIA_PARAM_KEYS and ensures that all variations are processed through the same validation pipeline, closing the bypass avenue.

Detection Methods for CVE-2026-33581

Indicators of Compromise

• Unusual file access attempts in application logs containing mediaUrl or fileUrl parameters with path traversal sequences (../)
• Log entries showing access to sensitive system files such as /etc/passwd, /etc/shadow, or application configuration files
• Requests to message tool endpoints containing absolute file paths outside expected sandbox directories
• Error messages indicating file access failures for paths outside the configured localRoots

Detection Strategies

• Implement web application firewall (WAF) rules to detect and block path traversal patterns in mediaUrl and fileUrl parameters
• Monitor application logs for requests containing ../ sequences or absolute paths in message action parameters
• Deploy file integrity monitoring on sensitive directories to detect unauthorized read attempts
• Enable verbose logging for the message tool component to capture all file access requests with full parameter details

Monitoring Recommendations

• Configure alerting on any file access attempts outside designated sandbox directories
• Establish baseline patterns for normal message tool file access and alert on anomalies
• Review access logs for the message action endpoints regularly for suspicious patterns
• Implement real-time monitoring for requests containing known path traversal payloads

How to Mitigate CVE-2026-33581

Immediate Actions Required

• Upgrade OpenClaw to version 2026.3.24 or later immediately
• Review application logs for any evidence of exploitation attempts using mediaUrl or fileUrl parameters
• Audit file access logs for any unauthorized reads of sensitive files
• Implement network-level restrictions to limit access to OpenClaw message tool endpoints to trusted sources only

Patch Information

OpenClaw has released a security patch in version 2026.3.24 that addresses this vulnerability by ensuring all media-related parameters (media, path, filePath, mediaUrl, fileUrl) are validated against the mediaLocalRoots configuration. The fix is available in commit 1d7cb6fc03552bbba00e7cffb3aa9741f5556416. Organizations should upgrade to the patched version as soon as possible. Additional details can be found in the GitHub Security Advisory.

Workarounds

• If immediate patching is not possible, implement WAF rules to block requests containing mediaUrl or fileUrl parameters with path traversal characters
• Restrict the OpenClaw service account's file system permissions to minimize the impact of potential file read exploitation
• Deploy application-layer firewall rules to filter requests to message tool endpoints containing suspicious path patterns
• Consider temporarily disabling the message tool functionality if it is not business-critical until the patch can be applied

# Example WAF rule to block path traversal in vulnerable parameters
# ModSecurity rule format
SecRule ARGS:mediaUrl|ARGS:fileUrl "@contains ../" \
    "id:2026335810,phase:2,deny,status:403,msg:'CVE-2026-33581 path traversal attempt blocked'"

# Restrict file permissions for OpenClaw service account
chmod 700 /sensitive/directories
chown root:root /etc/openclaw/config