What is CVE-2026-33581?

A sandbox bypass vulnerability in OpenClaw before 2026.3.24 that allows attackers to read arbitrary local files by using mediaUrl and fileUrl alias parameters that bypass the localRoots sandbox validation.

How does CVE-2026-33581 bypass the sandbox?

The normalizeSandboxMediaParams function only validated media, path, and filePath parameters but not the mediaUrl and fileUrl aliases. Attackers craft requests with file:// URIs through the unvalidated aliases.

What files can attackers read with CVE-2026-33581?

Any local file accessible to the OpenClaw process, including /etc/passwd, API keys, credentials files, and other sensitive data on the host filesystem.

How do I fix CVE-2026-33581?

Upgrade to OpenClaw version 2026.3.24 or later, which normalizes all parameter aliases and applies sandbox validation consistently.

Is CVE-2026-33581 being actively exploited?

The vulnerability has been publicly disclosed with detailed exploitation steps. All users running OpenClaw < 2026.3.24 should upgrade immediately.

← Back to dashboard

clawsmith.com/signal/cve-2026-33581-mediaurl-sandbox-bypass-file-read

⚠ IssueWide OpenSecurityLive

CVE-2026-33581: OpenClaw Sandbox Bypass — Arbitrary File Read via mediaUrl/fileUrl Parameters

OpenClaw before 2026.3.24 message tool accepts mediaUrl and fileUrl aliases without sandbox localRoots validation. Attackers read arbitrary local files via file:// URIs bypassing filesystem isolation.

Product Idea from this Signal

A security service that auto-patches OpenClaw CVEs within hours of disclosure before attackers exploit them

3.7k ▲

OpenClaw shipped 9 CVEs in 4 days (March 2026) including a CVSS 9.9 privilege escalation affecting 135K+ exposed instances. Most operators have no way to know which CVEs affect their version, no automated patching, and no coordination between the flood of advisories (156+ total) and their actual attack surface. This tool continuously monitors CVE feeds, maps each advisory to your installed version and enabled features, and applies safe mitigations automatically while queuing risky patches for human approval.

SECURITYCLIDEVTOOLOPEN-SOURCESYSADMIN

CompetitiveView Opportunity →