CVE-2026-32002 in OpenClaw
Summary
by MITRE • 03/20/2026
OpenClaw versions prior to 2026.2.23 contain a sandbox bypass vulnerability in the sandboxed image tool that fails to enforce tools.fs.workspaceOnly restrictions on mounted sandbox paths, allowing attackers to read out-of-workspace files. Attackers can load restricted mounted images and exfiltrate them through vision model provider requests to bypass sandbox confidentiality controls.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/24/2026
The vulnerability identified as CVE-2026-32002 represents a critical sandbox bypass issue within OpenClaw software versions prior to 2026.2.23. This flaw specifically targets the sandboxed image tool component that is designed to restrict file system access to prevent unauthorized data exposure. The core technical issue stems from the failure of the sandboxing mechanism to properly enforce the tools.fs.workspaceOnly restriction policy when handling mounted sandbox paths. This oversight creates a fundamental security gap where the intended boundary protection fails to maintain the isolation between workspace and non-workspace file system locations.
The operational impact of this vulnerability extends beyond simple file access violations and creates a significant data exfiltration vector for malicious actors. Attackers can exploit this weakness by loading restricted mounted images that should normally be inaccessible due to sandbox constraints. The vulnerability becomes particularly dangerous when combined with vision model provider requests, which provide legitimate pathways for data processing within the system. Through these authorized request mechanisms, attackers can orchestrate data exfiltration operations that bypass the intended confidentiality controls of the sandbox environment. This creates a sophisticated attack scenario where malicious activity appears to occur within normal operational parameters, making detection significantly more challenging.
The technical implementation flaw manifests in the insufficient validation of file system access requests when dealing with mounted paths within the sandboxed environment. This type of vulnerability aligns with CWE-250, which addresses the execution of code with improper privileges, and CWE-276, which covers improper privilege management. The attack pattern follows principles outlined in the ATT&CK framework under T1059 for command and scripting interpreter and T1567 for exfiltration through restricted network communication channels. The vulnerability essentially creates a backdoor through which attackers can access files outside the designated workspace boundaries, undermining the fundamental security premise of sandboxed execution environments.
Security mitigations for this vulnerability require immediate patching to OpenClaw versions 2026.2.23 and later, which should include enhanced enforcement of the tools.fs.workspaceOnly restriction policy. Organizations should implement additional monitoring of vision model provider requests to detect anomalous data access patterns that might indicate exploitation attempts. The fix must ensure that all mounted paths are properly validated against workspace boundaries before any file access operations are permitted. Network segmentation and access control policies should be strengthened to limit the potential impact of successful exploitation attempts. System administrators should also conduct comprehensive security assessments to identify any potential unauthorized access that may have occurred prior to the implementation of the patch.