Symlink Traversal Vulnerability in OpenClaw by OpenClaw
CVE-2026-32013

8.7HIGH

Key Information:

Vendor

Openclaw

Status
Openclaw
Vendor
CVE Published:
19 March 2026

What is CVE-2026-32013?

Versions of OpenClaw prior to 2026.2.25 are susceptible to a symlink traversal vulnerability within the agents.files.get and agents.files.set methods. This flaw allows malicious actors to exploit symlinked files that appear in the allowlist, granting them the ability to read and write files located outside the designated agent workspace. By leveraging this vulnerability, attackers can potentially gain access to arbitrary host files under the permissions set by the gateway process, which may lead to code execution via file overwrite attacks. It is crucial for users of affected versions to apply the necessary patches to mitigate these risks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

OpenClaw 0 < 2026.2.25

OpenClaw 2026.2.25

References

https://github.com/openclaw/openclaw/security/advisories/...
third-party-advisory
https://github.com/openclaw/openclaw/commit/125f4071bcbc0...
patch
https://www.vulncheck.com/advisories/openclaw-symlink-tra...
third-party-advisory

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

tdjackey
JSON
.