cbcvebase.
CVE-2026-32013
published 2026-03-19

CVE-2026-32013: OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in the agents.files.get and agents.files.set methods that allows reading and…

PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.64%
46.0th percentile
OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in the agents.files.get and agents.files.set methods that allows reading and writing files outside the agent workspace. Attackers can exploit symlinked allowlisted files to access arbitrary host files within gateway process permissions, potentially enabling code execution through file overwrite attacks.

Affected

3 ranges
VendorProductVersion rangeFixed in
openclawopenclaw< 2026.2.252026.2.25
openclawopenclaw>= 0 < 2026.2.252026.2.25
openclawopenclaw0 – 2026.2.22

Detection & IOCsextracted from sources · hover to see the quote

pathsrc/gateway/server-methods/agents.ts
filenameIDENTITY.md
urlhttps://github.com/openclaw/openclaw/blob/main/src/gateway/server-methods/agents.ts#L283-L291
urlhttps://github.com/openclaw/openclaw/blob/main/src/gateway/server-methods/agents.ts#L348-L349
urlhttps://github.com/openclaw/openclaw/blob/main/src/gateway/server-methods/agents.ts#L274
  • Monitor for symlink creation inside agent workspace directories targeting sensitive files such as /etc/crontab, ~/.bashrc, ~/.profile, or ~/.ssh/authorized_keys — a precursor to exploitation via IDENTITY.md symlink traversal.
  • Alert on unexpected writes to /etc/crontab, ~/.bashrc, ~/.profile, or ~/.ssh/authorized_keys by the OpenClaw gateway process, as these are the primary RCE-enabling targets of this vulnerability.
  • Flag agents.files.get and agents.files.set method invocations where the resolved file path escapes the agent workspace boundary — the primary attack surface described in the CVE.
  • In the OpenClaw gateway process, detect fs.appendFile operations on IDENTITY.md where the file is a symlink (lstat type 'symbolic link') rather than a regular file — the exact condition exploited in the PoC.
  • The patched endpoint returns {'ok': False, 'error': 'symlink_traversal_blocked', 'realPath': '<path>'} — absence of this check in API responses from agents.create/agents.update on openclaw <= 2026.2.22 confirms a vulnerable instance.
  • ·The vulnerability exists because ensureAgentWorkspace uses flag 'wx' (exclusive create) which silently skips workspace initialization when IDENTITY.md already exists as a symlink (EEXIST), allowing fs.appendFile to follow the symlink without any path validation.
  • ·The sanitizeIdentityLine function does NOT prevent exploitation — attacker-controlled content (name, emoji, avatar fields) is still injected into the symlink target file even after sanitization, enabling RCE via crontab or shell config file injection.
  • ·Affected npm package 'openclaw' versions <= 2026.2.22 have no patched version available as of the GHSA advisory publication; the CVE fix version is 2026.2.25 per NVD.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa8.7HIGH
osv8.7HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.