CVE-2026-32002

Description

### Summary In OpenClaw, the sandboxed `image` tool did not honor `tools.fs.workspaceOnly=true` for mounted paths resolved by the sandbox FS bridge. This allowed reading out-of-workspace mounted images (for example `/agent/*`) and forwarding those bytes to vision model providers. ### Impact Sandbox boundary bypass with confidentiality impact. In affected versions, `read`/`write`/`edit` respected workspace-only guardrails, but `image` could still load mounted out-of-workspace files and exfiltrate them via model requests. ### Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.2.22-2` - Patched versions: `>= 2026.2.23` (released) - Latest published npm at triage time: `2026.2.22-2` ### Technical Details `workspaceOnly` was enforced in sandbox file tools and `apply_patch`, but not propagated/enforced for `image` sandbox path resolution. The fix threads `workspaceOnly` into image-tool construction and asserts sandbox-root containment before loading media bytes. ### Fix Commit(s) - `dd9d9c1c609dcb4579f9e57bd7b5c879d0146b53` OpenClaw thanks @tdjackey for reporting.

How to fix CVE-2026-32002

To remediate CVE-2026-32002, upgrade the affected package to a fixed version below.

—upgrade to 2026.2.23 or later

Is CVE-2026-32002 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2026.2.23

CVSS scores

Source

osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N