EUVD-2026-13019
GHSA-cfvj-7rx7-fc7c
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Lifecycle Timeline
4Description
OpenClaw versions prior to 2026.3.2 contain a vulnerability in the stageSandboxMedia function in which it fails to validate destination symlinks during media staging, allowing writes to follow symlinks outside the sandbox workspace. Attackers can exploit this by placing symlinks in the media/inbound directory to overwrite arbitrary files on the host system outside sandbox boundaries.
Analysis
OpenClaw versions prior to 2026.3.2 contain a symlink traversal vulnerability in the stageSandboxMedia function that fails to validate destination symlinks during media staging operations. This allows local attackers with low privileges to write files outside the intended sandbox workspace by placing malicious symlinks in the media/inbound directory, resulting in arbitrary file overwrite on the host system. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today