What is the CVSS score of EUVD-2026-12734?

EUVD-2026-12734 has a CVSS 3.1 base score of 6.1 (Medium). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L. EPSS exploitation probability: 0.0%.

Which versions of Openclaw are affected by EUVD-2026-12734?

CVE-2026-27523 presents moderate security risk, a path traversal vulnerability rated CVSS 6.1. This could allow unauthorized file access.. A patch is available.

Openclaw EUVD-2026-12734

| CVE-2026-27523 MEDIUM

Path Traversal (CWE-22)

2026-03-18 VulnCheck

GHSA-m8v2-6wwh-r4gc

Path Traversal Openclaw

6.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

Low

Lifecycle Timeline

EUVD ID Assigned

Mar 18, 2026 - 02:30 euvd

EUVD-2026-12734

Analysis Generated

Mar 18, 2026 - 02:30 vuln.today

Patch released

Mar 18, 2026 - 02:30 nvd

Patch available

CVE Published

Mar 18, 2026 - 01:34 nvd

MEDIUM 6.1

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

1 npm packages depend on openclaw (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 2026.2.24.

DescriptionNVD

OpenClaw versions prior to 2026.2.24 contain a sandbox bind validation vulnerability allowing attackers to bypass allowed-root and blocked-path checks via symlinked parent directories with non-existent leaf paths. Attackers can craft bind source paths that appear within allowed roots but resolve outside sandbox boundaries once missing leaf components are created, weakening bind-source isolation enforcement.

AnalysisAI

OpenClaw versions prior to 2026.2.24 contain a sandbox bind validation bypass vulnerability that allows local attackers with low privileges to circumvent allowed-root and blocked-path security checks through symlinked parent directories combined with non-existent leaf paths. An attacker can craft bind source paths that appear to reside within permitted sandbox roots but resolve outside sandbox boundaries once missing path components are created, effectively weakening the sandbox's bind-source isolation enforcement. …

RemediationAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Review file handling controls.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-12734 vulnerability details – vuln.today

Back