What is CVE-2026-33581?

CVE-2026-33581 is a medium-severity vulnerability in Openclaw, classified under Path Traversal. CVSS score: 6.5/10. Published 2026-03-31.

How severe is CVE-2026-33581?

Medium severity. CVSS v3 base score is 6.5 out of 10.

Path Traversal in Openclaw

CVE-2026-33581

OpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in the message tool that allows attackers to read arbitrary local files by using mediaUrl and fileUrl alias parameters that bypass localRoots validation. Remote attackers ca…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.001 (17.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.5 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N.

Affected products

Openclaw — versions 0, 2026.3.24

Weakness classification (CWE)

CWE-22 — Path Traversal

References

GitHub Security Advisory (GHSA-v8wv-jg3q-qwpq) (third-party-advisory)
Patch Commit (patch)
VulnCheck Advisory: OpenClaw < 2026.3.24 - Arbitrary File Read via mediaUrl and fileUrl Parameters (third-party-advisory)

Frequently asked questions

What is CVE-2026-33581?: CVE-2026-33581 is a medium-severity vulnerability in Openclaw, classified under Path Traversal. CVSS score: 6.5/10. Published 2026-03-31.
How severe is CVE-2026-33581?: Medium severity. CVSS v3 base score is 6.5 out of 10.