Path Traversal Vulnerability in OpenClaw Product
CVE-2026-35668

7.1HIGH

Key Information:

Vendor: Openclaw
Status: Openclaw
Vendor: CVE Published:; 10 April 2026

What is CVE-2026-35668?

OpenClaw versions prior to 2026.3.24 are susceptible to a path traversal vulnerability that arises from inadequate parameter validation in sandbox enforcement. This flaw allows sandboxed agents to potentially read files located in other agents' workspaces by exploiting unnormalized 'mediaUrl' or 'fileUrl' parameters. Attackers could leverage this vulnerability to gain access to sensitive data, including API keys and configuration settings, which reside outside of designated sandbox roots. It is crucial for users to apply necessary updates to mitigate this risk.

Affected Version(s)

OpenClaw 0 < 2026.3.24

OpenClaw 2026.3.24

References

https://github.com/openclaw/openclaw/security/advisories/...

third-party-advisory

https://www.vulncheck.com/advisories/openclaw-sandbox-med...

third-party-advisory

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2026
Vulnerability Reserved
Apr 4, 2026

Credit

Edward-x (@YLChen-007)

CVE-2026-35668 Data

JSON

Openclaw

What is CVE-2026-35668?

Affected Version(s)

References

CVSS V4

Timeline

Credit