Home

Description

OpenClaw versions prior to 2026.2.26 contain a path traversal vulnerability in workspace boundary validation that allows attackers to write files outside the workspace through in-workspace symlinks pointing to non-existent out-of-root targets. The vulnerability exists because the boundary check improperly resolves aliases, permitting the first write operation to escape the workspace boundary and create files in arbitrary locations.

PUBLISHED Reserved 2026-03-10 | Published 2026-03-21 | Updated 2026-03-24 | Assigner VulnCheck




HIGH: 7.2CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

HIGH: 7.6CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
unaffected

Any version before 2026.2.26
affected

2026.2.26 (semver)
unaffected

Credits

tdjackey reporter

References

github.com/...enclaw/security/advisories/GHSA-mgrq-9f93-wpp5 (GitHub Security Advisory (GHSA-mgrq-9f93-wpp5)) third-party-advisory

github.com/...ommit/46eba86b45e9db05b7b792e914c4fe0de1b40a23 (Patch Commit #1) patch

github.com/...ommit/1aef45bc060b28a0af45a67dc66acd36aef763c9 (Patch Commit #2) patch

www.vulncheck.com/...oundary-bypass-via-non-existent-symlink (VulnCheck Advisory: OpenClaw < 2026.2.26 - Workspace Path Boundary Bypass via Non-existent Symlink) third-party-advisory

cve.org (CVE-2026-32055)

nvd.nist.gov (CVE-2026-32055)

Download JSON