CVE-2026-35668 Overview
CVE-2026-35668 is a path traversal vulnerability (CWE-22) in OpenClaw before version 2026.3.24 that affects sandbox enforcement mechanisms. The vulnerability allows sandboxed agents to read arbitrary files from other agents' workspaces through unnormalized mediaUrl or fileUrl parameter keys. Attackers can exploit incomplete parameter validation in the normalizeSandboxMediaParams function combined with missing mediaLocalRoots context to access sensitive files including API keys and configuration data outside designated sandbox roots.
Critical Impact
Attackers with low privileges can bypass sandbox isolation to access sensitive files from other agents' workspaces, potentially exposing API keys, credentials, and confidential configuration data.
Affected Products
- OpenClaw versions prior to 2026.3.24
- OpenClaw Node.js package (cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*)
Discovery Timeline
- 2026-04-10 - CVE-2026-35668 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-35668
Vulnerability Analysis
This path traversal vulnerability exists in OpenClaw's sandbox enforcement layer, which is designed to isolate agents and restrict their file access to designated workspace directories. The flaw stems from incomplete validation of media URL parameters, allowing attackers to craft requests that escape the intended sandbox boundaries.
The vulnerability is exploitable over the network and requires low privileges (authenticated access as a sandboxed agent). Once exploited, an attacker can read arbitrary files from other agents' workspaces, leading to unauthorized disclosure of sensitive information. The attack does not require user interaction and can be performed with low complexity.
Root Cause
The root cause of CVE-2026-35668 lies in the normalizeSandboxMediaParams function, which fails to properly normalize and validate the mediaUrl and fileUrl parameter keys before resolving file paths. Additionally, the absence of proper mediaLocalRoots context validation allows path traversal sequences (such as ../) to escape the sandbox root directory. This combination of incomplete input validation and missing boundary enforcement creates a bypass condition that circumvents sandbox isolation.
Attack Vector
An attacker with access as a sandboxed agent can exploit this vulnerability by crafting malicious requests containing path traversal sequences in the mediaUrl or fileUrl parameters. By using unnormalized paths such as ../../other-agent/config/api-keys.json, the attacker can traverse directory boundaries and access files belonging to other agents or system-level configuration files.
The attack scenario involves:
- Authenticating as a sandboxed agent with low privileges
- Crafting a request with a malicious mediaUrl or fileUrl parameter containing directory traversal sequences
- Bypassing the incomplete validation in normalizeSandboxMediaParams
- Reading sensitive files from other agents' workspaces or system directories
The vulnerability allows read-only access to files, resulting in confidentiality impact. No direct write capabilities or availability impact have been identified.
Detection Methods for CVE-2026-35668
Indicators of Compromise
- Unusual file access patterns from sandboxed agents accessing paths outside their designated workspace directories
- HTTP requests containing path traversal sequences (../, ..%2f, ..%252f) in mediaUrl or fileUrl parameters
- Log entries showing file access attempts to sensitive configuration files or other agents' workspaces
- Anomalous read operations targeting files containing API keys, credentials, or configuration data
Detection Strategies
- Monitor application logs for path traversal patterns in URL parameters, particularly in mediaUrl and fileUrl fields
- Implement web application firewall (WAF) rules to detect and block requests containing directory traversal sequences
- Deploy file integrity monitoring on sensitive configuration directories and credential storage locations
- Analyze network traffic for suspicious patterns indicating sandbox escape attempts
Monitoring Recommendations
- Enable verbose logging for the normalizeSandboxMediaParams function to capture parameter values before and after normalization
- Set up alerts for any file access attempts that resolve to paths outside the expected sandbox root directories
- Monitor for bulk file read operations that may indicate automated exploitation attempts
- Implement anomaly detection for agent behavior patterns, flagging agents accessing unusual file paths
How to Mitigate CVE-2026-35668
Immediate Actions Required
- Upgrade OpenClaw to version 2026.3.24 or later immediately
- Review access logs for signs of exploitation targeting the mediaUrl and fileUrl parameters
- Audit sensitive files (API keys, credentials, configuration) for potential unauthorized access
- Consider rotating any credentials or API keys that may have been exposed
Patch Information
OpenClaw has released version 2026.3.24 which addresses this path traversal vulnerability. The patch implements proper path normalization and validation in the normalizeSandboxMediaParams function, along with enforcement of mediaLocalRoots context boundaries.
For detailed patch information, refer to the GitHub Security Advisory. Additional technical details are available in the VulnCheck Security Advisory.
Workarounds
- Implement network-level controls to restrict access to the vulnerable endpoints until patching is complete
- Deploy a web application firewall (WAF) with rules to block requests containing path traversal sequences in URL parameters
- Restrict file system permissions to limit the impact of potential sandbox escapes
- Consider temporarily disabling media URL functionality if it is not critical to operations
# Example WAF rule to block path traversal attempts
# Add to nginx configuration or similar reverse proxy
location / {
if ($request_uri ~* "\.\.") {
return 403;
}
if ($args ~* "(mediaUrl|fileUrl)=.*\.\.") {
return 403;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
