CVE-2026-35668
Published: 10 April 2026
Summary
CVE-2026-35668 is a high-severity Path Traversal (CWE-22) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 14.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the incomplete parameter validation in normalizeSandboxMediaParams by requiring validation of mediaUrl and fileUrl inputs to block path traversal exploits.
Enforces logical access restrictions ensuring sandboxed agents cannot read files outside their designated workspace roots.
Implements a reference monitor mechanism to mediate all sandbox access decisions, including proper mediaLocalRoots context to prevent bypasses.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in sandbox enforcement directly enables reading arbitrary files (including API keys and configs) from other workspaces on the local system, mapping to data collection from local files and unsecured credentials in files.
NVD Description
OpenClaw before 2026.3.24 contains a path traversal vulnerability in sandbox enforcement allowing sandboxed agents to read arbitrary files from other agents' workspaces via unnormalized mediaUrl or fileUrl parameter keys. Attackers can exploit incomplete parameter validation in normalizeSandboxMediaParams and missing mediaLocalRoots…
more
context to access sensitive files including API keys and configuration data outside designated sandbox roots.
Deeper analysisAI
CVE-2026-35668, published on 2026-04-10, is a path traversal vulnerability (CWE-22) in OpenClaw versions before 2026.3.24. The flaw exists in the sandbox enforcement mechanism, where sandboxed agents can read arbitrary files from other agents' workspaces through unnormalized mediaUrl or fileUrl parameter keys. This results from incomplete parameter validation in the normalizeSandboxMediaParams function and missing mediaLocalRoots context, enabling access to sensitive files like API keys and configuration data outside designated sandbox roots. The vulnerability carries a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).
Attackers with low privileges (PR:L), such as authenticated sandboxed agents, can exploit this over the network with low complexity and no user interaction. By supplying specially crafted unnormalized parameters, they bypass sandbox restrictions in a scoped manner, achieving high confidentiality impact through unauthorized reads of files from other agents' workspaces.
Advisories from GitHub (GHSA-hr5v-j9h9-xjhg) and VulnCheck detail the issue and recommend upgrading to OpenClaw 2026.3.24 or later to address the incomplete validation and context missing in sandbox media handling.
Details
- CWE(s)