Plattform
nodejs
Komponente
openclaw
Behoben in
2026.2.19
2026.2.19
CVE-2026-32030 describes a confidentiality vulnerability in openclaw, a Node.js package. This flaw allows an attacker to stage arbitrary files on the remote host via SCP if iMessage remote attachment fetching is enabled. The vulnerability affects versions of openclaw up to 2026.2.17, and a fix is available in version 2026.2.19.
The vulnerability stems from a flaw in stageSandboxMedia which accepts arbitrary absolute paths when iMessage remote attachment fetching is enabled. This allows an attacker to bypass intended security controls and use SCP to copy files outside of the expected iMessage attachment directories onto the remote host. Successful exploitation could lead to unauthorized access to sensitive data stored on the system, potentially including configuration files, source code, or other confidential information. The impact is primarily focused on confidentiality, as the attacker can read files, but not directly execute code.
This CVE was published on 2026-03-03. The vulnerability's nature suggests a moderate exploitation probability, particularly given the reliance on iMessage remote attachment fetching being enabled. No public proof-of-concept (PoC) has been released as of this writing, but the potential for remote file staging warrants attention. It is not currently listed on the CISA KEV catalog.
Applications utilizing openclaw for iMessage integration, particularly those with channels.imessage.remoteHost enabled, are at risk. Shared hosting environments where multiple applications share the same server and file system are also potentially vulnerable, as a compromise in one application could lead to the exposure of data from others.
• nodejs / supply-chain:
npm list openclaw• nodejs / supply-chain:
npm audit openclaw• generic web:
Inspect Node.js application configuration files for the presence of channels.imessage.remoteHost set to true.
disclosure
patch
Exploit-Status
EPSS
0.07% (21% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade to version 2026.2.19 or later, which includes remote attachment path validation. If upgrading is not immediately feasible, disable iMessage remote attachment fetching by setting channels.imessage.remoteHost to false. Monitor system logs for unusual SCP activity or file access attempts. Consider implementing a Web Application Firewall (WAF) to filter requests containing potentially malicious file paths. There are no specific Sigma or YARA rules available at this time, but monitoring for SCP connections to unexpected locations is recommended.
Actualice OpenClaw a la versión 2026.2.19 o posterior. Esto corrige la vulnerabilidad de path traversal en la función stageSandboxMedia al validar correctamente las rutas de los archivos adjuntos remotos.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-32030 is a HIGH severity vulnerability in openclaw affecting versions up to 2026.2.17. It allows attackers to stage arbitrary files via SCP, potentially exposing confidential data if iMessage remote attachment fetching is enabled.
You are affected if you are using openclaw versions up to 2026.2.17 and have channels.imessage.remoteHost enabled. Check your installed version with npm list openclaw.
Upgrade openclaw to version 2026.2.19 or later. Alternatively, disable channels.imessage.remoteHost to prevent remote attachment fetching.
As of now, there are no confirmed reports of active exploitation. However, the vulnerability's potential impact warrants prompt remediation.
Refer to the openclaw project's release notes and repository for the latest information and advisory regarding CVE-2026-32030.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.