How severe is GHSA-x9cf-3w63-rpq9?

GHSA-x9cf-3w63-rpq9 has a CVSS score of 7.5/10, rated HIGH. Immediate patching is strongly recommended.

Which packages are affected by GHSA-x9cf-3w63-rpq9?

GHSA-x9cf-3w63-rpq9 affects the following packages: openclaw (npm). Ecosystems affected: npm.

How do I fix GHSA-x9cf-3w63-rpq9?

Update openclaw to 2026.2.19 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-x9cf-3w63-rpq9 is resolved across your whole dependency graph.

How do I detect GHSA-x9cf-3w63-rpq9 in my npm dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for openclaw. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-x9cf-3w63-rpq9 if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-x9cf-3w63-rpq9?

O3 pinpoints whether GHSA-x9cf-3w63-rpq9 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-x9cf-3w63-rpq9 actively exploited in the wild?

No public exploit code has been indexed for GHSA-x9cf-3w63-rpq9 yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

What is the EPSS score for GHSA-x9cf-3w63-rpq9?

GHSA-x9cf-3w63-rpq9 has an EPSS (Exploit Prediction Scoring System) score of 0.3%, placing it in the 26th percentile of all CVEs. EPSS is maintained by FIRST.org and estimates the probability that a vulnerability will be exploited in the wild within the next 30 days. This score indicates relatively lower exploitation probability, though the CVSS severity should still guide your patching priority.

What type of vulnerability is GHSA-x9cf-3w63-rpq9?

GHSA-x9cf-3w63-rpq9 is classified as Path Traversal (CWE-22). This weakness type describe the underlying flaw category, which helps determine the potential impact and the right class of mitigation. This is a high-impact weakness class that often enables remote code execution or data exposure.

When was GHSA-x9cf-3w63-rpq9 published, and has it been updated?

GHSA-x9cf-3w63-rpq9 was published on March 3, 2026 and was last updated on March 27, 2026. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

📦 npm

GHSA-x9cf-3w63-rpq9

HIGH

OpenClaw vulnerable to sensitive file disclosure via stageSandboxMedia

Also known asCVE-2026-32030

Published

Mar 3, 2026

Updated

Mar 27, 2026

Affected

1 pkg

Patched

1 / 1

Exploits

None indexed

EPSS Exploitation Probability

via FIRST.org ↗

0.3%probability of exploitation in next 30 days

Lower Risk26th percentile+0.27%

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected

Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.

openclawnpm

4.3Mdownloads / week

Description

Summary

When iMessage remote attachment fetching is enabled (channels.imessage.remoteHost), stageSandboxMedia accepted arbitrary absolute paths and used SCP to copy them into local staging.

If a non-attachment path reaches this flow, files outside expected iMessage attachment directories on the remote host can be staged.

Affected Packages / Versions

Package: openclaw
Affected: up to and including 2026.2.17 (latest npm version as of February 19, 2026)
Fixed: pending next release with remote attachment path validation

Impact

Confidentiality impact. An attacker who can influence inbound attachment path metadata may disclose files readable by the OpenClaw process on the configured remote host.

Attack Preconditions

iMessage attachments enabled (channels.imessage.includeAttachments=true), and
remote attachment mode active (channels.imessage.remoteHost configured or auto-detected), and
attacker can inject/tamper with attachment path metadata.

Given these preconditions, this advisory is assessed as medium severity.

Fix Commit(s)

1316e5740382926e45a42097b4bfe0aef7d63e8e

Release Process Note

patched_versions should be set to the next released npm version that includes remote attachment path validation, then the advisory can be published.

Mitigation

Upgrade to the first release that includes remote attachment path validation.
If remote attachments are not required, disable iMessage attachment ingestion.
Run OpenClaw under least privilege on the remote host.

OpenClaw thanks @zpbrent for reporting.

Affected Packages

1 total 1 fixed

Ecosystem	Package	Vulnerable range	Fix
📦npm	`openclaw`	all versions	2026.2.19

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for openclaw. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update openclaw to 2026.2.19 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-x9cf-3w63-rpq9 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-x9cf-3w63-rpq9 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-x9cf-3w63-rpq9. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Summary When iMessage remote attachment fetching is enabled (`channels.imessage.remoteHost`), `stageSandboxMedia` accepted arbitrary absolute paths and used SCP to copy them into local staging. If a non-attachment path reaches this flow, files outside expected iMessage attachment directories on the remote host can be staged. ### Affected Packages / Versions - Package: `openclaw` - Affected: up to and including `2026.2.17` (latest npm version as of February 19, 2026) - Fixed: pending next release with remote attachment path validation ### Impact Confidentiality impact. An attacker who ca

O3 Security · Impact-Aware SCA

Is GHSA-x9cf-3w63-rpq9 in your dependencies?

O3 detects GHSA-x9cf-3w63-rpq9 across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works