CVE-2026-35658

Summary

OpenClaw before 2026.3.2 contains a filesystem boundary bypass vulnerability in the image tool that fails to honor tools.fs.workspaceOnly restrictions. Attackers can traverse sandbox bridge mounts outside the workspace to read files that other filesystem tools would reject.

Affected Software

VendorProductVersion RangeStatus
OpenClawOpenClaw0 < 2026.3.2affected
OpenClawOpenClaw2026.3.2unaffected

Weaknesses

  • CWE-668: CWE-668: Exposure of Resource to Wrong Sphere

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References