CVE-2026-43532 Overview
CVE-2026-43532 affects OpenClaw versions 2026.4.7 through 2026.4.10 and stems from incomplete input normalization in the sandbox media processing layer. The vulnerability exists because the image parameter in Discord event cover image handling was excluded from the sandbox media parameter normalization list. Attackers with low privileges can inject host-local media references into channel action paths that expect normalized media values. The flaw is categorized under [CWE-184: Incomplete List of Disallowed Inputs] and impacts the confidentiality of subsequent components in the processing chain.
Critical Impact
Authenticated attackers can bypass sandbox media normalization to reference host-local media in Discord event cover image parameters, breaking sandbox containment for downstream channel actions.
Affected Products
- OpenClaw 2026.4.7 (Node.js distribution)
- OpenClaw versions prior to 2026.4.10
- OpenClaw deployments processing Discord event cover images
Discovery Timeline
- 2026-05-05 - CVE-2026-43532 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-43532
Vulnerability Analysis
The vulnerability resides in src/infra/outbound/message-action-params.ts, where OpenClaw defines a constant array of parameter keys subject to sandbox media normalization. The original SANDBOX_MEDIA_PARAM_KEYS array enumerated media, path, filePath, mediaUrl, and fileUrl but omitted the image key used by Discord event cover image flows. Because the normalization routine iterates only over keys in this allowlist, any value supplied through the image parameter passes through without rewriting or sanitization. Downstream channel action handlers consume these parameters under the assumption that media references are already normalized and host-safe.
Root Cause
The root cause is an incomplete disallowed-input list, classified as [CWE-184]. The normalization function readMediaParam operated on a hardcoded allowlist that did not track all parameter names introduced by feature additions. When Discord event cover image support was added, the corresponding image key was not registered with the sandbox normalization logic, leaving a coverage gap between feature surface and security control.
Attack Vector
Exploitation requires network access and low-privilege authentication. An attacker submits a crafted Discord event cover image parameter containing a host-local media reference. The unnormalized image value flows into channel action paths, where it is treated as a legitimate normalized media reference. This allows referencing media outside the intended sandbox scope, breaking the security boundary between the sandbox and host-local resources.
// Patch in src/infra/outbound/message-action-params.ts
export const readBooleanParam = readBooleanParamShared;
-const SANDBOX_MEDIA_PARAM_KEYS = ["media", "path", "filePath", "mediaUrl", "fileUrl"] as const;
+const SANDBOX_MEDIA_PARAM_KEYS = [
+ "media",
+ "path",
+ "filePath",
+ "mediaUrl",
+ "fileUrl",
+ "image",
+] as const;
function readMediaParam(
args: Record<string, unknown>,
Source: GitHub Commit 979c6f0
Detection Methods for CVE-2026-43532
Indicators of Compromise
- Discord event creation requests containing image parameters with host-local file paths or non-standard URI schemes such as file://.
- Channel action invocations where media references resolve to paths outside the sandbox media root.
- Log entries from message-action-params.ts showing media parameter values that were not transformed by readMediaParam.
Detection Strategies
- Inspect outbound message action parameter logs for image values that do not match the normalized media URI format.
- Compare resolved media paths against the configured sandbox media directory and alert on path traversal or absolute host paths.
- Audit OpenClaw deployments for installed versions between 2026.4.7 and 2026.4.10 to identify exposure scope.
Monitoring Recommendations
- Enable verbose logging on the sandbox media normalization layer and forward events to a centralized analytics pipeline.
- Track authenticated user activity associated with Discord event creation and correlate with anomalous media reference patterns.
- Monitor file system access from the OpenClaw process for reads outside expected sandbox boundaries.
How to Mitigate CVE-2026-43532
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.10 or later, which includes the image key in SANDBOX_MEDIA_PARAM_KEYS.
- Review authentication and authorization policies for users able to create or modify Discord events through OpenClaw.
- Audit historical Discord event records for cover image values referencing host-local paths.
Patch Information
The fix is delivered in commit 979c6f09d6fad96596feb91c905934be7e0b4f15 and tracked in advisory GHSA-c9h3-5p7r-mrjh. The patch adds the image parameter key to the sandbox media normalization allowlist so Discord event cover image values are rewritten before reaching channel action handlers. Additional context is available in the VulnCheck Advisory.
Workarounds
- Restrict the set of authenticated users permitted to invoke Discord event creation flows until the patch is applied.
- Deploy an upstream proxy or input filter that strips host-local URI schemes from image parameters in Discord event payloads.
- Run OpenClaw under a restricted operating system user with no read access to sensitive host-local media paths.
# Upgrade OpenClaw to the patched release
npm install openclaw@2026.4.10
# Verify installed version
npm list openclaw
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
