CVE-2026-32030
HIGHOpenClaw < 2026.2.19 - Sensitive File Disclosure via stageSandboxMedia Path Traversal
Title source: cnaDescription
OpenClaw versions prior to 2026.2.19 contain a path traversal vulnerability in the stageSandboxMedia function that accepts arbitrary absolute paths when iMessage remote attachment fetching is enabled. An attacker who can tamper with attachment path metadata can disclose files readable by the OpenClaw process on the configured remote host via SCP.
References (3)
Core 3
Core References
Third Party Advisory third-party-advisory
GitHub Security Advisory (GHSA-x9cf-3w63-rpq9)
https://github.com/openclaw/openclaw/security/advisories/GHSA-x9cf-3w63-rpq9
Patch patch
Patch Commit
https://github.com/openclaw/openclaw/commit/1316e5740382926e45a42097b4bfe0aef7d63e8e
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenClaw < 2026.2.19 - Sensitive File Disclosure via stageSandboxMedia Path Traversal
https://www.vulncheck.com/advisories/openclaw-sensitive-file-disclosure-via-stagesandboxmedia-path-traversal
Scores
CVSS v3
7.5
EPSS
0.0007
EPSS Percentile
22.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (4)
npm/openclaw
0 - 2026.2.19npm
OpenClaw/OpenClaw
< 2026.2.19
openclaw/openclaw
< 2026.2.19
OpenClaw/OpenClaw
2026.2.19
Published
Mar 19, 2026
Tracked Since
Mar 20, 2026