CVE-2026-33581
Published: 31 March 2026
Summary
CVE-2026-33581 is a medium-severity Path Traversal (CWE-22) vulnerability in Openclaw Openclaw. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates mediaUrl and fileUrl alias parameters to block path traversal and prevent bypass of localRoots sandbox validation.
Enforces access control policies to restrict reading of files outside the intended sandbox directory even if parameters bypass validation.
Controls information flow from unvalidated file requests to ensure access remains confined within sandbox boundaries.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote arbitrary local file read via path traversal/sandbox bypass directly enables exploitation of public-facing applications (T1190) and data collection from local system files (T1005).
NVD Description
OpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in the message tool that allows attackers to read arbitrary local files by using mediaUrl and fileUrl alias parameters that bypass localRoots validation. Remote attackers can exploit this by routing file requests…
more
through unvalidated alias parameters to access files outside the intended sandbox directory.
Deeper analysisAI
CVE-2026-33581 is a sandbox bypass vulnerability (CWE-22) affecting OpenClaw versions prior to 2026.3.24, specifically in the message tool component. The flaw enables attackers to read arbitrary local files by exploiting mediaUrl and fileUrl alias parameters, which bypass localRoots validation. This allows file requests to be routed through unvalidated aliases, granting access to files outside the intended sandbox directory. The vulnerability carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) and was published on 2026-03-31.
Remote attackers with low privileges (PR:L) can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting requests that leverage the aliased parameters, they achieve high-impact confidentiality violations, such as reading sensitive local files beyond the sandbox boundaries, while integrity and availability remain unaffected.
Mitigation details are outlined in official advisories and the patch commit. The GitHub security advisory (GHSA-v8wv-jg3q-qwpq) and the fixing commit (1d7cb6fc03552bbba00e7cffb3aa9741f5556416) in the OpenClaw repository address the issue in version 2026.3.24 and later. VulnCheck's advisory further details the arbitrary file read via these parameters, recommending upgrades to patched versions.
Details
- CWE(s)