Home

Description

OpenClaw versions before 2026.6.9 contain a symlink following vulnerability in the mirror sync feature that allows lower-trust callers to perform actions requiring stronger authorization. Attackers can exploit remote symlink parents to bypass policy checks and authorization boundaries when the feature is enabled and reachable.

PUBLISHED Reserved 2026-07-13 | Published 2026-07-13 | Updated 2026-07-14 | Assigner VulnCheck




HIGH: 7.6CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

HIGH: 7.1CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

Problem types

Improper Link Resolution Before File Access ('Link Following')

Time-of-check Time-of-use (TOCTOU) Race Condition

Product status

Default status
unaffected

Any version before 2026.6.9
affected

2026.6.9 (semver)
unaffected

Credits

Rex Liu (@rexpository) reporter

References

github.com/...enclaw/security/advisories/GHSA-m38g-vpwj-mpg9 (GitHub Security Advisory (GHSA-m38g-vpwj-mpg9)) vendor-advisory

www.vulncheck.com/...nclaw-symlink-following-via-mirror-sync (VulnCheck Advisory: OpenClaw < 2026.6.9 Symlink Following via Mirror Sync) third-party-advisory

cve.org (CVE-2026-62189)

nvd.nist.gov (CVE-2026-62189)

Download JSON