CVE-2026-32030

OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the stageSandboxMedia function that accepts arbitrary absolute paths when iMessage remote attachment fetching is enabled. An attacker who can tamper with attachment path metadata can disclose files readable by the OpenClaw process on the configured remote host via SCP.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/openclaw/openclaw/commit/1316e5740382926e45a42097b4bfe0aef7d63e8e	Patch
https://github.com/openclaw/openclaw/security/advisories/GHSA-x9cf-3w63-rpq9	Mitigation Vendor Advisory
https://www.vulncheck.com/advisories/openclaw-sensitive-file-disclosure-via-stagesandboxmedia-path-traversal	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

History

25 Mar 2026, 15:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~5.9~~	v2 : unknown v3 : 7.5
References	~~() https://github.com/openclaw/openclaw/security/advisories/GHSA-x9cf-3w63-rpq9 - Vendor Advisory, Mitigation~~	() https://github.com/openclaw/openclaw/security/advisories/GHSA-x9cf-3w63-rpq9 - Mitigation, Vendor Advisory
Summary		(es) Las versiones de OpenClaw anteriores a la 2026.2.19 contienen una vulnerabilidad de salto de ruta en la función stageSandboxMedia que acepta rutas absolutas arbitrarias cuando la obtención remota de archivos adjuntos de iMessage está habilitada. Un atacante que pueda manipular los metadatos de la ruta de los archivos adjuntos puede divulgar archivos legibles por el proceso de OpenClaw en el host remoto configurado a través de SCP.

23 Mar 2026, 15:09

Type	Values Removed	Values Added
First Time		Openclaw openclaw Openclaw
CPE		cpe:2.3:a:openclaw:openclaw::::::node.js::*
References	~~() https://github.com/openclaw/openclaw/commit/1316e5740382926e45a42097b4bfe0aef7d63e8e -~~	() https://github.com/openclaw/openclaw/commit/1316e5740382926e45a42097b4bfe0aef7d63e8e - Patch
References	~~() https://github.com/openclaw/openclaw/security/advisories/GHSA-x9cf-3w63-rpq9 -~~	() https://github.com/openclaw/openclaw/security/advisories/GHSA-x9cf-3w63-rpq9 - Vendor Advisory, Mitigation
References	~~() https://www.vulncheck.com/advisories/openclaw-sensitive-file-disclosure-via-stagesandboxmedia-path-traversal -~~	() https://www.vulncheck.com/advisories/openclaw-sensitive-file-disclosure-via-stagesandboxmedia-path-traversal - Third Party Advisory

19 Mar 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-19 22:16

Updated : 2026-03-25 15:16

NVD link : CVE-2026-32030

Mitre link : CVE-2026-32030

CVE.ORG link : CVE-2026-32030

JSON object : View

Products Affected

openclaw

openclaw

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

7.5 /10