GHSA-x9cf-3w63-rpq9: Path Traversal in OpenClaw stageSandboxMedia Leading to Arbitrary File Read

OpenClaw is an open-source AI assistant infrastructure designed to automate responses across various communication channels, notably iMessage. To enable AI agents to analyze images or documents sent via these channels, OpenClaw "stages" these files by copying them from their original location (e.g., the iMessage attachments directory) into a sandboxed workspace dedicated to the active conversation thread.

The vulnerability, identified as GHSA-x9cf-3w63-rpq9, resides in the component responsible for this file movement: src/auto-reply/reply/stage-sandbox-media.ts. Specifically, when OpenClaw is configured to retrieve media from a remote relay (a common setup to bridge iMessage from a Mac to a server), it relies on the scp utility to fetch files. The system blindly trusts the file path provided in the message object's metadata, allowing for path traversal attacks (CWE-22) and subsequent information disclosure (CWE-200).

The root cause of this vulnerability is the absence of input validation on file paths passed to system commands. The stageSandboxMedia function accepts a media object containing an original_path property. This property is intended to point to a standard directory, such as ~/Library/Messages/Attachments/.

However, prior to the patch, the application performed no verification to ensure the path resided within this expected directory structure. The unsanitized path was concatenated directly into an scp command string (for remote relays) or passed to local file system operations. Because scp and standard file system APIs will happily accept absolute paths like /etc/passwd or /Users/victim/.ssh/id_rsa, the application would retrieve these sensitive files if instructed to do so by manipulated metadata.

This behavior violates the security principle of "Fail Safe Defaults" by assuming all input paths are benign rather than explicitly allowing only known-safe paths. The flaw is exacerbated by the fact that OpenClaw typically runs with user-level privileges on macOS to access the iMessage database, granting it broad read permissions across the user's home directory.

The vulnerability existed in src/auto-reply/reply/stage-sandbox-media.ts, where the code constructed a copy command using user-controlled input without sanitization. The fix introduced a new policy module, src/media/inbound-path-policy.ts, to enforce an allowlist.

Vulnerable Logic (Conceptual):

// The 'path' variable comes directly from message metadata
if (remoteHost) {
  // VULNERABLE: path is interpolated directly into the scp command
  await exec(`scp ${remoteHost}:"${path}" "${localDestination}"`);
} else {
  // VULNERABLE: path is used directly in local fs copy
  await fs.copyFile(path, localDestination);
}

Patched Logic (Commit 1316e57):

The patch introduces isInboundPathAllowed, which checks the path against configured attachmentRoots. It creates a strict boundary for file operations.

import { isInboundPathAllowed } from '../../media/inbound-path-policy';
 
export async function stageSandboxMedia(media: MediaItem) {
  // FIX: Validate path before use
  if (!isInboundPathAllowed(media.original_path)) {
    // Log security event and abort operation
    logger.error(`Blocking remote media staging: ${media.original_path}`);
    throw new Error('Security Violation: Path not allowed');
  }
 
  // Safe to proceed with copy operation
  if (remoteHost) {
     // ... execute scp ...
  }
}

The isInboundPathAllowed function uses minimatch or regex patterns to ensure the path starts with authorized prefixes (defaulting to standard macOS message attachment directories) and, for local files, uses fs.realpath to resolve and validate symlinks.

An attacker can exploit this vulnerability by injecting a malicious payload into the message processing pipeline. This could be achieved if the attacker can modify the metadata of a message being processed by OpenClaw, or if they can trigger a race condition where the file path in the database is swapped before OpenClaw reads it.

Attack Steps:

1. Target Identification: The attacker identifies an OpenClaw instance utilizing a remote iMessage relay.
2. Metadata Manipulation: The attacker sends a message or interacts with the relay such that the original_path attribute for an attachment is set to a sensitive target, such as /Users/admin/.ssh/id_ed25519.
3. Triggering Staging: The OpenClaw engine picks up the message. The stageSandboxMedia function is invoked to prepare the context for the AI.
4. Exfiltration: The system executes scp user@remote:/Users/admin/.ssh/id_ed25519 ./sandbox/attachment_1. The private key is now sitting in the sandbox directory.
5. Disclosure: The AI agent, designed to analyze attachments, now has read access to the private key. It might output the key's content in a debug log, summarize it in a reply, or allow the attacker to retrieve it via subsequent interaction with the bot.

The impact of this vulnerability is significant for confidentiality, rated as High in the CVSS metrics. While the integrity and availability impacts are low to none, the ability to read arbitrary files constitutes a serious breach of the security model.

Specific Risks:

• Credential Theft: Attackers can retrieve SSH keys, AWS credentials, or API tokens stored in dotfiles (e.g., ~/.aws/credentials, ~/.zshrc).
• Configuration Exposure: Access to OpenClaw's own configuration files could reveal database passwords or other service secrets.
• System Reconnaissance: Reading /etc/hosts, /etc/passwd, or shell history files allows attackers to map the internal network and pivot to other systems.

Because OpenClaw is designed to be an autonomous agent, the exfiltrated data is often processed by an LLM, potentially leading to the leakage of sensitive data into third-party AI provider logs (e.g., OpenAI or Anthropic) if the agent attempts to "read" the stolen file.

The primary remediation is to update OpenClaw immediately to a version including the patch from February 19, 2026. The patch enforces a strict allowlist for file staging operations.

Configuration Hardening: Post-patch, administrators should verify their configuration to ensure attachmentRoots is correctly defined. The default configuration covers standard iMessage paths, but custom setups may need explicit definitions.

Network Defense: For users unable to patch immediately, firewall rules restricting outbound scp or SSH connections from the OpenClaw host to the relay can limit the attack surface, though this may break legitimate functionality. Monitoring logs for "Blocking remote media staging" is essential for detecting attempted exploitation.