CVE-2026-35658 Overview
OpenClaw before version 2026.3.2 contains a filesystem boundary bypass vulnerability (CWE-668: Exposure of Resource to Wrong Sphere) in the image tool component. The vulnerability stems from the image tool's failure to properly honor tools.fs.workspaceOnly restrictions, allowing attackers to traverse sandbox bridge mounts outside the designated workspace and read files that other filesystem tools would correctly reject.
Critical Impact
Attackers with low-privilege network access can bypass filesystem sandbox restrictions to read sensitive files outside the permitted workspace boundary, potentially exposing configuration files, credentials, and other sensitive data.
Affected Products
- OpenClaw versions prior to 2026.3.2
- OpenClaw for Node.js (all platforms)
- OpenClaw Image Tool component
Discovery Timeline
- April 10, 2026 - CVE-2026-35658 published to NVD
- April 13, 2026 - Last updated in NVD database
Technical Details for CVE-2026-35658
Vulnerability Analysis
This vulnerability affects the OpenClaw image tool, a component used for processing and handling image files within the application's sandboxed environment. The core issue lies in the inconsistent enforcement of filesystem access restrictions across different tool types within OpenClaw.
When OpenClaw is configured with tools.fs.workspaceOnly set to restrict filesystem access to the designated workspace directory, the image tool fails to respect this boundary. While other filesystem tools correctly validate and reject attempts to access files outside the workspace, the image tool bypasses these checks when processing sandbox bridge mounts.
The vulnerability requires authenticated access (low privileges) and depends on specific conditions being present (the target must have bridge mounts configured and sensitive files accessible through the traversal path). This explains the network attack vector with partial complexity in the attack requirements.
Root Cause
The root cause is classified under CWE-668 (Exposure of Resource to Wrong Sphere), indicating that the image tool exposes filesystem resources to an unauthorized scope. The image processing code path does not implement the same boundary validation logic that other filesystem tools use when resolving file paths through sandbox bridge mounts. This creates an inconsistency where the same file access that would be blocked by standard filesystem tools is permitted through the image tool interface.
Attack Vector
The attack leverages the network-accessible image tool functionality. An authenticated attacker can craft requests to the image tool that reference files through sandbox bridge mount paths. Because the image tool does not validate these paths against the workspaceOnly restriction, the attacker can traverse outside the workspace boundary to access files that should be restricted.
The attack flow involves:
- An authenticated user with low privileges identifies that the target OpenClaw instance has sandbox bridge mounts configured
- The attacker crafts image tool requests that traverse the bridge mount path structure
- The image tool processes these requests without enforcing workspace boundaries
- File contents from outside the workspace are returned to the attacker, enabling information disclosure
For detailed technical information about this vulnerability, see the GitHub Security Advisory and the VulnCheck Advisory.
Detection Methods for CVE-2026-35658
Indicators of Compromise
- Unusual image tool requests containing path traversal sequences (e.g., ../, ..\)
- File access logs showing image tool accessing files outside configured workspace directories
- Requests to the image tool referencing sandbox bridge mount paths with suspicious path components
Detection Strategies
- Monitor image tool API endpoints for requests containing path traversal patterns or references to bridge mount paths
- Implement file access auditing to detect when the image tool reads files outside the workspace boundary
- Review application logs for failed or successful file reads from sensitive system locations
Monitoring Recommendations
- Enable verbose logging for all filesystem operations performed by OpenClaw tools
- Configure alerts for image tool requests that resolve to paths outside the workspace directory
- Implement network traffic analysis to identify anomalous patterns in image tool API usage
How to Mitigate CVE-2026-35658
Immediate Actions Required
- Upgrade OpenClaw to version 2026.3.2 or later immediately
- Review access logs to identify any potential exploitation attempts
- Audit files accessible through sandbox bridge mounts for sensitive data exposure
- Temporarily disable or restrict access to the image tool if immediate patching is not possible
Patch Information
OpenClaw has released security patches addressing this vulnerability. Multiple commits have been published to remediate the issue:
- GitHub Commit Fix - Primary fix implementation
- GitHub Commit Update - Additional updates
- GitHub Commit Change - Related changes
- GitHub Commit Enhancement - Enhanced protections
Organizations should upgrade to version 2026.3.2 or apply the relevant commits to their installations.
Workarounds
- Disable the image tool functionality if it is not required for your deployment
- Remove or restrict sandbox bridge mount configurations to minimize the attack surface
- Implement network-level access controls to limit which users can interact with the image tool API
- Deploy web application firewall rules to block requests containing path traversal patterns targeting the image tool
# Example: Restricting image tool access in OpenClaw configuration
# Add to openclaw.config.json to disable image tool
{
"tools": {
"image": {
"enabled": false
},
"fs": {
"workspaceOnly": true
}
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
