Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8Blast Radius
ecosystem impact- 1 npm packages depend on openclaw (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 2026.3.31.
DescriptionCVE.org
OpenClaw before 2026.3.31 contains a sandbox escape vulnerability allowing attackers to traverse directory boundaries through symlink exploitation during file synchronization operations. Remote attackers can bypass sandbox restrictions by crafting malicious symlinks in mirror sync operations to access arbitrary files outside intended boundaries.
AnalysisAI
Sandbox escape in OpenClaw file synchronization before version 2026.3.31 enables remote authenticated attackers to read and write arbitrary files outside intended boundaries via crafted symlinks during mirror sync operations. The vulnerability exploits CWE-59 (Improper Link Resolution Before File Access) with attack complexity rated High and requires low privileges, indicating targeted exploitation scenarios. Vendor patches available via GitHub commits c02ee8a and 3b9dab0, with CVSS 7.6 reflecting high confidentiality and integrity impact but no availability impact. No active exploitation or public POC identified at time of analysis beyond vendor disclosure.
Technical ContextAI
This vulnerability affects the file synchronization component of OpenClaw (CPE: cpe:2.3:a:openclaw:openclaw), classified as CWE-59 (Improper Link Resolution Before File Access / Link Following). The flaw occurs when OpenClaw's sandbox environment fails to properly validate symbolic links during mirror synchronization operations. When processing sync requests, the application follows symlinks without verifying whether the target path escapes the intended sandbox directory boundaries. This is a classic TOCTOU (Time-of-Check-Time-of-Use) issue where symlink resolution happens after path validation, allowing an attacker to substitute a legitimate path with a symlink pointing to restricted filesystem locations. The CVSS 4.0 vector indicates network-based attack delivery (AV:N), high complexity (AC:H) suggesting specific timing or configuration requirements, and present attack techniques (AT:P) meaning specialized knowledge is needed. The vulnerability impacts confidentiality and integrity (VC:H/VI:H) while leaving availability unaffected (VA:N), with no scope change (SC:N/SI:N/SA:N), indicating the attack remains within the vulnerable component's privileges.
RemediationAI
Upgrade to OpenClaw version 2026.3.31 or later, which contains fixes implemented in GitHub commits c02ee8a3a4cb390b23afdf21317aa8b2096854d1 and 3b9dab0ece4643a9643e6a45459f5c709d3ce320. Review the vendor advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-cwf8-44x6-32c2 for version-specific guidance. If immediate patching is not feasible, implement compensating controls: disable remote access to mirror sync functionality entirely by blocking sync API endpoints at the network perimeter (eliminates AV:N vector but breaks legitimate sync use cases); restrict sync feature access to only essential administrative accounts via RBAC policies (raises PR:L to PR:H, reducing attacker pool); deploy filesystem-level symlink restrictions using mount options like 'nosymfollow' on sync target directories (breaks legitimate symlink use within sync operations); enable audit logging for all sync operations with real-time alerting on sync requests containing symlink paths (detection-focused, does not prevent exploitation but enables incident response). Each mitigation trades functionality for security-coordinate with application owners before implementing.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26105
GHSA-cwf8-44x6-32c2