CVE-2026-32030: OpenClaw vulnerable to sensitive file disclosure via stageSandboxMedia
(updated )
When iMessage remote attachment fetching is enabled (channels.imessage.remoteHost), stageSandboxMedia accepted arbitrary absolute paths and used SCP to copy them into local staging.
If a non-attachment path reaches this flow, files outside expected iMessage attachment directories on the remote host can be staged.
References
- github.com/advisories/GHSA-x9cf-3w63-rpq9
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/1316e5740382926e45a42097b4bfe0aef7d63e8e
- github.com/openclaw/openclaw/security/advisories/GHSA-x9cf-3w63-rpq9
- nvd.nist.gov/vuln/detail/CVE-2026-32030
- www.vulncheck.com/advisories/openclaw-sensitive-file-disclosure-via-stagesandboxmedia-path-traversal
Code Behaviors & Features
Detect and mitigate CVE-2026-32030 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →