Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in browser trace and download output path handling that allows local attackers to escape the managed temp root directory. An attacker with local access can create symlinks to route file writes outside the intended temp directory, enabling arbitrary file overwrite on the affected system.
AnalysisAI
OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in the browser trace and download output path handling that allows local attackers with limited privileges to escape the managed temporary root directory and overwrite arbitrary files on the system. An attacker can create symbolic links to redirect file writes outside the intended sandbox, resulting in information disclosure and potential system compromise through arbitrary file modification. A patch is available from the vendor, and this vulnerability requires local access with low privileges to exploit, making it a medium-severity concern for multi-user systems.
Technical ContextAI
This vulnerability is rooted in CWE-59 (Improper Link Resolution Before File Access, also known as symlink traversal), a classic file system security flaw where applications fail to validate symlink targets before performing file operations. The OpenClaw application (cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*) manages temporary directories for browser trace logging and download operations, but does not properly sanitize or resolve symbolic links before writing output to these paths. An attacker with local system access can place crafted symlinks in predictable locations within the temp directory structure, causing OpenClaw to follow those symlinks and write sensitive data or executable content to arbitrary filesystem locations outside the intended sandboxed temp root. This is particularly dangerous in shared hosting or containerized environments where multiple users or processes operate on the same system.
RemediationAI
Immediately upgrade OpenClaw to version 2026.2.25 or later to apply the vendor patch available at https://github.com/openclaw/openclaw/commit/496a76c03ba85e15ea715e5a583e498ae04d36e3. Until patching is possible, restrict local system access to OpenClaw processes using OS-level privilege separation and file system isolation (e.g., dedicated unprivileged user accounts, AppArmor, SELinux, or seccomp profiles that prevent symlink creation in temp directories). Configure the application to use a private temporary directory with restrictive permissions (mode 0700) and verify that temp paths are created at runtime with O_EXCL or equivalent atomic semantics. Implement monitoring and alerting on unexpected symlink creation within OpenClaw's temp directories to detect attack attempts.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13955
GHSA-ffr4-mrhv-vfr2