CVE-2026-32013
published 2026-03-19CVE-2026-32013: OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in the agents.files.get and agents.files.set methods that allows reading and…
PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.64%
46.0th percentile
OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in the agents.files.get and agents.files.set methods that allows reading and writing files outside the agent workspace. Attackers can exploit symlinked allowlisted files to access arbitrary host files within gateway process permissions, potentially enabling code execution through file overwrite attacks.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| openclaw | openclaw | < 2026.2.25 | 2026.2.25 |
| openclaw | openclaw | >= 0 < 2026.2.25 | 2026.2.25 |
| openclaw | openclaw | 0 – 2026.2.22 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for symlink creation inside agent workspace directories targeting sensitive files such as /etc/crontab, ~/.bashrc, ~/.profile, or ~/.ssh/authorized_keys — a precursor to exploitation via IDENTITY.md symlink traversal. ↗
- →Alert on unexpected writes to /etc/crontab, ~/.bashrc, ~/.profile, or ~/.ssh/authorized_keys by the OpenClaw gateway process, as these are the primary RCE-enabling targets of this vulnerability. ↗
- →Flag agents.files.get and agents.files.set method invocations where the resolved file path escapes the agent workspace boundary — the primary attack surface described in the CVE. ↗
- →In the OpenClaw gateway process, detect fs.appendFile operations on IDENTITY.md where the file is a symlink (lstat type 'symbolic link') rather than a regular file — the exact condition exploited in the PoC. ↗
- →The patched endpoint returns {'ok': False, 'error': 'symlink_traversal_blocked', 'realPath': '<path>'} — absence of this check in API responses from agents.create/agents.update on openclaw <= 2026.2.22 confirms a vulnerable instance. ↗
- ·The vulnerability exists because ensureAgentWorkspace uses flag 'wx' (exclusive create) which silently skips workspace initialization when IDENTITY.md already exists as a symlink (EEXIST), allowing fs.appendFile to follow the symlink without any path validation. ↗
- ·The sanitizeIdentityLine function does NOT prevent exploitation — attacker-controlled content (name, emoji, avatar fields) is still injected into the symlink target file even after sanitization, enabling RCE via crontab or shell config file injection. ↗
- ·Affected npm package 'openclaw' versions <= 2026.2.22 have no patched version available as of the GHSA advisory publication; the CVE fix version is 2026.2.25 per NVD. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa8.7HIGH
osv8.7HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Duplicate Advisory: OpenClaw: Symlink Traversal via IDENTITY.md appendFile in agents.create/update (Incomplete Fix for CVE-2026-32013)
ghsa·2026-04-10
CVE-2026-32013 [MEDIUM] CWE-61 Duplicate Advisory: OpenClaw: Symlink Traversal via IDENTITY.md appendFile in agents.create/update (Incomplete Fix for CVE-2026-32013)
Duplicate Advisory: OpenClaw: Symlink Traversal via IDENTITY.md appendFile in agents.create/update (Incomplete Fix for CVE-2026-32013)
## Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-7xr2-q9vf-x4r5. This link is maintained to preserve external references.
## Original Description
OpenClaw through 2026.2.22 contains a symlink traversal vulnerability in agents.create and agents.update handlers that use fs.appendFile on IDENTITY.md without symlink containment checks. Attackers with workspace access can plant symlinks to append attacker-controlled content to arbitrary files, enabling remote code execution via crontab injection or unauthorized access via SSH key manipulation.
OSV
OpenClaw: Symlink Traversal via IDENTITY.md appendFile in agents.create/update (Incomplete Fix for CVE-2026-32013)
osv·2026-03-26·CVSS 8.7
CVE-2026-32013 [HIGH] OpenClaw: Symlink Traversal via IDENTITY.md appendFile in agents.create/update (Incomplete Fix for CVE-2026-32013)
OpenClaw: Symlink Traversal via IDENTITY.md appendFile in agents.create/update (Incomplete Fix for CVE-2026-32013)
### Summary
The patch for CVE-2026-32013 introduced symlink resolution and workspace boundary enforcement for `agents.files.get` and `agents.files.set`. However, two other handlers in the same file (`agents.create` and `agents.update`) still use raw `fs.appendFile` on the `IDENTITY.md` file **without any symlink containment check**. An attacker who can place a symlink in the agent workspace can hijack the `IDENTITY.md` path to append attacker-controlled content to arbitrary files on the system.
### Details
In `src/gateway/server-methods/agents.ts`, the `agents.create` handler constructs the identity path and appends agent metadata without verifying symlinks:
```typescript
GHSA
OpenClaw: Symlink Traversal via IDENTITY.md appendFile in agents.create/update (Incomplete Fix for CVE-2026-32013)
ghsa·2026-03-26·CVSS 8.7
CVE-2026-32013 [HIGH] CWE-61 OpenClaw: Symlink Traversal via IDENTITY.md appendFile in agents.create/update (Incomplete Fix for CVE-2026-32013)
OpenClaw: Symlink Traversal via IDENTITY.md appendFile in agents.create/update (Incomplete Fix for CVE-2026-32013)
### Summary
The patch for CVE-2026-32013 introduced symlink resolution and workspace boundary enforcement for `agents.files.get` and `agents.files.set`. However, two other handlers in the same file (`agents.create` and `agents.update`) still use raw `fs.appendFile` on the `IDENTITY.md` file **without any symlink containment check**. An attacker who can place a symlink in the agent workspace can hijack the `IDENTITY.md` path to append attacker-controlled content to arbitrary files on the system.
### Details
In `src/gateway/server-methods/agents.ts`, the `agents.create` handler constructs the identity path and appends agent metadata without verifying symlinks:
```typescript
OSV
OpenClaw gateway agents.files symlink escape allowed out-of-workspace file read/write
osv·2026-03-02
CVE-2026-32013 [CRITICAL] OpenClaw gateway agents.files symlink escape allowed out-of-workspace file read/write
OpenClaw gateway agents.files symlink escape allowed out-of-workspace file read/write
## Impact
The gateway `agents.files.get` and `agents.files.set` methods allowed symlink traversal for allowlisted workspace files. A symlinked allowlisted file (for example `AGENTS.md`) could resolve outside the agent workspace and be read/written by the gateway process.
This could enable arbitrary host file read/write within the gateway process permissions, and chained impact up to code execution depending on which files are overwritten.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `= 2026.2.25`
## Remediation
`agents.files` now resolves real workspace paths, enforces containment for resolved targets, rejects out-of-workspace symlink targets, and keeps in-worksp
GHSA
OpenClaw gateway agents.files symlink escape allowed out-of-workspace file read/write
ghsa·2026-03-02
CVE-2026-32013 [CRITICAL] CWE-22 OpenClaw gateway agents.files symlink escape allowed out-of-workspace file read/write
OpenClaw gateway agents.files symlink escape allowed out-of-workspace file read/write
## Impact
The gateway `agents.files.get` and `agents.files.set` methods allowed symlink traversal for allowlisted workspace files. A symlinked allowlisted file (for example `AGENTS.md`) could resolve outside the agent workspace and be read/written by the gateway process.
This could enable arbitrary host file read/write within the gateway process permissions, and chained impact up to code execution depending on which files are overwritten.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `= 2026.2.25`
## Remediation
`agents.files` now resolves real workspace paths, enforces containment for resolved targets, rejects out-of-workspace symlink targets, and keeps in-worksp
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-32013 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-32013 [HIGH] CVE-2026-32013 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32013 :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in the agents.files.get and agents.files.set methods that allows reading and writing files outside the agent workspace. Attackers can exploit symlinked allowlisted files to access arbitrary host files within gateway process permissions, potentially enabling code execution through file overwrite attacks.
Source : NVD
## 8.7
Score
Published March 19, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 29.8
Exploitation Prob
Wiz
GHSA-7xr2-q9vf-x4r5 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
[HIGH] GHSA-7xr2-q9vf-x4r5 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-7xr2-q9vf-x4r5 :
OpenClaw (formerly Moltbot or Clawdbot) vulnerability analysis and mitigation
## Summary
agents.files.get
agents.files.set
agents.create
agents.update
fs.appendFile
IDENTITY.md
IDENTITY.md
## Details
src/gateway/server-methods/agents.ts
agents.create
// agents.create — line 283-291
const identityPath = path.join(workspaceDir, DEFAULT_IDENTITY_FILENAME);
const lines = [
"",
`- Name: ${safeName}`,
...(emoji ? [`- Emoji: ${sanitizeIdentityLine(emoji)}`] : []),
...(avatar ? [`- Avatar: ${sanitizeIdentityLine(avatar)}`] : []),
"",
];
await fs.appendFile(identityPath, lines.join("\n"), "utf-8"); // ← NO SYMLINK CHECK
agents.update
// agents.update — line 348-349
const identityPath = path.join(workspace, DEFAULT_IDENTITY_FILENAME);
await fs.appendFile(id
2026-03-19
Published