CVE-2026-32007

Description

### Summary In some opt-in sandbox configurations, the **experimental** `apply_patch` tool did not consistently apply workspace-only checks to mounted paths (for example `/agent/...`). ### Impact This does **not** affect default installs. Default posture: - `agents.defaults.sandbox.mode=off` (sandbox disabled by default) - `tools.exec.applyPatch.enabled=false` (experimental tool disabled by default) This behavior applies only when all of the following are enabled/configured: - sandbox mode, - experimental `apply_patch`, - workspace-only expectations (`tools.fs.workspaceOnly=true` and/or `tools.exec.applyPatch.workspaceOnly=true`), - and writable mounts outside workspace. Under that opt-in setup, `apply_patch` operations could target mounted paths outside the workspace root. ### Affected Packages / Versions - Package: `openclaw` (npm) - Affected published versions: `<= 2026.2.22-2` - Fixed in code on `main`: commit `6634030be31e1a1842967df046c2f2e47490e6bf` - Patched release: `2026.2.23` ### Technical Details In the sandbox path flow, `apply_patch` used `sandbox.bridge.resolvePath(...)` without applying the same workspace-root assertion used by other filesystem tools. The fix makes `apply_patch` follow the same workspace-only enforcement for sandbox-resolved paths (unless explicitly disabled with `tools.exec.applyPatch.workspaceOnly=false`). ### Fix Commit(s) - `6634030be31e1a1842967df046c2f2e47490e6bf` ### Release Process Note `patched_versions` is pre-set to the released version (`2026.2.23`). Patched in `2026.2.23` and published. OpenClaw thanks @tdjackey for reporting.

How to fix CVE-2026-32007

To remediate CVE-2026-32007, upgrade the affected package to a fixed version below.

• —upgrade to 2026.2.23 or later

Is CVE-2026-32007 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 2026.2.23