GHSA-9f72-qcpw-2hxc: OpenClaw: Native prompt image auto-load did not honor tools.fs.workspaceOnly in sandboxed runs

March 3, 2026

In sandboxed runs, native prompt image auto-load did not honor tools.fs.workspaceOnly=true.

This optional hardening setting is not enabled by default. When operators enabled it, prompt text could still reference mounted out-of-workspace image paths (for example /agent/secret.png) and load those image bytes for vision-capable model input.

References

github.com/advisories/GHSA-9f72-qcpw-2hxc
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/370d115549c0dadace0902775eea0d5094aedfdc
github.com/openclaw/openclaw/security/advisories/GHSA-9f72-qcpw-2hxc

Code Behaviors & Features

Detect and mitigate GHSA-9f72-qcpw-2hxc with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →