EUVD-2026-13956
GHSA-mgrq-9f93-wpp5
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Lifecycle Timeline
5Blast Radius
ecosystem impact- 2 npm packages depend on openclaw (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.2.26.
DescriptionCVE.org
OpenClaw versions prior to 2026.2.26 contain a path traversal vulnerability in workspace boundary validation that allows attackers to write files outside the workspace through in-workspace symlinks pointing to non-existent out-of-root targets. The vulnerability exists because the boundary check improperly resolves aliases, permitting the first write operation to escape the workspace boundary and create files in arbitrary locations.
AnalysisAI
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace directory by exploiting improper symlink resolution in path validation checks. An attacker with workspace access can leverage in-workspace symlinks pointing to external targets to bypass boundary restrictions on the first write operation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Authenticated user access to OpenClaw versions prior to 2026.2.26 with workspace write permissions. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS v3.1 score of 7.6 (High) reflects network attack vector (AV:N), low complexity (AC:L), low privileges required (PR:L), and high integrity impact (I:H) with low confidentiality and availability impacts. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with authenticated low-privilege access to an OpenClaw instance creates a symbolic link within their workspace pointing to a sensitive system path such as /etc/cron.d/ or application configuration directories. When OpenClaw performs its next write operation following the symlink, the boundary validation fails to detect the out-of-workspace target, allowing the attacker to create or overwrite files in the targeted location. … |
| Remediation | Upgrade OpenClaw to version 2026.2.26 or later, which contains fixes for the symlink path traversal vulnerability as documented in the GitHub Security Advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-mgrq-9f93-wpp5. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems running OpenClaw and identify affected versions; restrict workspace access to essential users only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Remote code execution in OpenClaw before 2026.5.12 allows authenticated operators to bypass the PowerShell execution all
Command injection in OpenClaw before 2026.5.18 allows authenticated attackers to modify shell wrapper argv between appro
Arbitrary code execution in OpenClaw before 2026.5.27 lets attackers hijack the Homebrew executable resolved during skil
Authentication bypass in OpenClaw before 2026.5.22 allows authenticated network attackers to spoof locality information
Privilege escalation in OpenClaw before 2026.5.18 allows WebSocket-connected Control UI clients to claim operator.admin
Share
External POC / Exploit Code
Leaving vuln.today