HIGHCVE-2026-32030Published 2026-03-19Modified 2026-03-25CNA VulnCheck

CVE-2026-32030: OpenClaw < 2026.2.19 - Sensitive File Disclosure via stageSandboxMedia Path Traversal

OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the stageSandboxMedia function that accepts arbitrary absolute paths when iMessage remote attachment fetching is enabled. An attacker who can tamper with attachment path metadata can disclose files readable by the OpenClaw process on the configured remote host via SCP.

CVSS v4.0: 8.2
Severity: HIGH
Fixed in: 2026.2.19
Affected Products: 1

Fix available

2026.2.19

Patch commits

Patch Commit

Affected packages

OpenClaw / OpenClaw
< 2026.2.19 (from 0)
Fixed in 2026.2.19

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

GitHub Security Advisory (GHSA-x9cf-3w63-rpq9)
Patch Commit
VulnCheck Advisory: OpenClaw < 2026.2.19 - Sensitive File Disclosure via stageSandboxMedia Path Traversal

Metrics

Fix available