What is the CVSS score of CVE-2026-27485?

CVE-2026-27485 has a CVSS 3.1 base score of 4.4 (Medium). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of AI / ML are affected by CVE-2026-27485?

Organizations using OpenClaw should be aware of moderate risk from CVE-2026-27485 rated CVSS 4.4. Exploitation could compromise the security of affected deployments.. A patch is available.

AI / ML CVE-2026-27485

MEDIUM

UNIX Symbolic Link (Symlink) Following (CWE-61)

2026-02-21 security-advisories@github.com

GHSA-r6h2-5gqq-v5v6

Information Disclosure AI / ML Openclaw

4.4

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:04 vuln.today

Patch released

Feb 23, 2026 - 20:43 nvd

Patch available

CVE Published

Feb 21, 2026 - 10:16 nvd

MEDIUM 4.4

DescriptionNVD

OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, skills/skill-creator/scripts/package_skill.py (a local helper script used when authors package skills) previously followed symlinks while building .skill archives. If an author runs this script on a crafted local skill directory containing symlinks to files outside the skill root, the resulting archive can include unintended file contents. If exploited, this vulnerability can lead to potential unintentional disclosure of local files from the packaging machine into a generated .skill artifact, but requires local execution of the packaging script on attacker-controlled skill contents. This issue has been fixed in version 2026.2.18.

AnalysisAI

Openclaw contains a vulnerability that allows attackers to potential unintentional disclosure of local files from the packaging machine int (CVSS 4.4).

RemediationAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-27485 vulnerability details – vuln.today

Back