Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4Blast Radius
ecosystem impact- 4 npm packages depend on openclaw (4 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.3.2.
DescriptionCVE.org
OpenClaw versions prior to 2026.3.2 contain a path-confinement bypass vulnerability in browser output handling that allows writes outside intended root directories. Attackers can exploit insufficient canonical path-boundary validation in file write operations to escape root-bound restrictions and write files to arbitrary locations.
AnalysisAI
OpenClaw prior to version 2026.3.2 allows local users with standard privileges to write files outside designated directories through insufficient path validation in the browser output handler. An attacker can exploit this path-confinement bypass to place malicious files in arbitrary filesystem locations, potentially leading to privilege escalation or system compromise.
Technical ContextAI
The vulnerability affects OpenClaw (CPE: cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*) and is classified under CWE-59 (Improper Link Resolution Before File Access, also known as 'Link Following'). The root cause involves insufficient validation of canonical file paths in browser output handling mechanisms, allowing attackers to bypass directory confinement checks through path traversal sequences (e.g., ../ or similar bypass techniques). The flaw exists in the file write operations that are intended to confine output to a specific root directory but fail to properly normalize and validate user-supplied paths before performing filesystem operations.
RemediationAI
Upgrade OpenClaw to version 2026.3.2 or later immediately; the vendor has released a patch available at https://github.com/openclaw/openclaw/commit/104d32bb64cdf19d5e77f70553a511a2ae90ad1c. Organizations unable to patch immediately should restrict local system access to OpenClaw installations to trusted administrators only, disable unnecessary local user accounts with OpenClaw access, and implement filesystem-level access controls (e.g., SELinux or AppArmor) to confine OpenClaw process writes to intended directories. Monitor file access logs for suspicious write operations outside the configured root directory.
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and
An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar
Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra
An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT
Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi
An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner
The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte
Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se
A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char
The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca
Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12726
GHSA-3pxq-f3cp-jmxp