CVE-2026-35658

MEDIUM6.5EPSS 0.04%

OpenClaw: Image Tool `tools.fs.workspaceOnly` Bypass via Sandbox Bridge Mounts

發布日:2026/3/26修改日:2026/4/10

描述

## Summary The `image` tool did not fully honor the `tools.fs.workspaceOnly` filesystem boundary. In affected releases, image-path resolution could still traverse sandbox bridge mounts outside the workspace and read files from mounted directories that the other file tools would reject. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected: `< 2026.3.2` - Fixed: `>= 2026.3.2` - Latest released tags checked: `v2026.3.23` (`ccfeecb6887cd97937e33a71877ad512741e82b2`) and `v2026.3.23-2` (`630f1479c44f78484dfa21bb407cbe6f171dac87`) - Latest published npm version checked: `2026.3.23-2` ## Fix Commit(s) - `dd9d9c1c609dcb4579f9e57bd7b5c879d0146b53` - `14baadda2c456f3cf749f1f97e8678746a34a7f4` ## Release Status The complete fix shipped in `v2026.3.2` and remains present in `v2026.3.23` and `v2026.3.23-2`. ## Code-Level Confirmation - `src/agents/openclaw-tools.ts` now passes `fsPolicy` into `createImageTool`, so the image tool receives the same workspace-only policy input as the other filesystem tools. - `src/agents/tools/image-tool.ts`, `src/agents/tools/media-tool-shared.ts`, and `src/agents/sandbox-media-paths.ts` now restrict local roots and sandbox-bridge resolution to the workspace when `tools.fs.workspaceOnly` is enabled. OpenClaw thanks @YLChen-007 for reporting.

受影響套件(1)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
osvCVSS 3.1MEDIUM6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

參考連結(8)