CVE-2026-35668: OpenClaw has Sandbox Media Root Bypass via Unnormalized `mediaUrl` / `fileUrl` Parameter Keys (CWE-22)

March 30, 2026 (updated April 10, 2026)

A path traversal vulnerability in the agent sandbox enforcement allows a sandboxed agent to read arbitrary files from other agents’ workspaces by using the mediaUrl or fileUrl parameter key in message tool calls. The normalizeSandboxMediaParams function only checks ["media", "path", "filePath"] keys, while mediaUrl and fileUrl escape normalization entirely. Combined with handlePluginAction dropping mediaLocalRoots from the dispatch context, this enables a full sandbox escape where any agent can read files outside its designated sandbox root.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-35668 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →