What is CVE-2026-32026?

CVE-2026-32026 is a medium-severity vulnerability in Openclaw, classified under Path Traversal. CVSS score: 6.5/10. Published 2026-03-19.

How severe is CVE-2026-32026?

Medium severity. CVSS v3 base score is 6.5 out of 10.

Path Traversal in Openclaw

CVE-2026-32026

OpenClaw versions prior to 2026.2.24 contain an improper path validation vulnerability in sandbox media handling that allows absolute paths under the host temporary directory outside the active sandbox root. Attackers can exploit this by p…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.001 (23.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.5 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N.

Affected products

Openclaw — versions 0, 2026.2.24

Weakness classification (CWE)

CWE-22 — Path Traversal

References

GitHub Security Advisory (GHSA-33hm-cq8r-wc49) (third-party-advisory)
Patch Commit #1 (patch)
Patch Commit #2 (patch)
Patch Commit #3 (patch)
VulnCheck Advisory: OpenClaw < 2026.2.24 - Arbitrary File Read via Improper Temporary Path Validation in Sandbox (third-party-advisory)

Frequently asked questions

What is CVE-2026-32026?: CVE-2026-32026 is a medium-severity vulnerability in Openclaw, classified under Path Traversal. CVSS score: 6.5/10. Published 2026-03-19.
How severe is CVE-2026-32026?: Medium severity. CVSS v3 base score is 6.5 out of 10.