GHSA-7xmq-g46g-f8pv: OpenClaw: Sandbox media TOCTOU could read files outside sandbox root

March 2, 2026

Sandbox media handling had a time-of-check/time-of-use gap: media paths could be validated first and read later through a separate path. A symlink retarget between those steps could cause reads outside sandboxRoot.

References

github.com/advisories/GHSA-7xmq-g46g-f8pv
github.com/openclaw/openclaw
github.com/openclaw/openclaw/security/advisories/GHSA-7xmq-g46g-f8pv

Code Behaviors & Features

Detect and mitigate GHSA-7xmq-g46g-f8pv with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →