GHSA-FGVX-58P6-GJWC: Critical Symlink Traversal in OpenClaw Gateway
Vulnerability ID: GHSA-FGVX-58P6-GJWC
CVSS Score: 9.8
Published: 2026-03-02
A critical symbolic link traversal vulnerability exists in the OpenClaw gateway component, specifically within the agents.files API methods. The vulnerability permits attackers to bypass workspace isolation mechanisms by creating symbolic links with allowlisted filenames (e.g., AGENTS.md) that point to arbitrary locations on the host filesystem. Successful exploitation allows unauthorized read and write access to sensitive system files, potentially leading to full system compromise.
TL;DR
OpenClaw gateway fails to validate symbolic links in agent workspaces. Attackers can read/write host files by symlinking allowlisted filenames to system paths. Fixed in version 2026.2.25.
Technical Details
- Vulnerability ID: GHSA-FGVX-58P6-GJWC
- CWE ID: CWE-59
- CVSS Score: 9.8 (Critical)
- Attack Vector: Network
- Affected Component: agents.files API
- Patched Version: 2026.2.25
Affected Systems
- OpenClaw Gateway
- Node.js environments hosting OpenClaw
-
openclaw: < 2026.2.25 (Fixed in:
2026.2.25)
Code Analysis
Commit: 125f407
Fix agents.files symlink escape vulnerability
Mitigation Strategies
- Input Validation
- Path Canonicalization
- Principle of Least Privilege
- Containerization
Remediation Steps:
- Update
openclawnpm package to version2026.2.25or later. - Restart the OpenClaw gateway service to apply changes.
- Scan existing agent workspace directories for symbolic links pointing to external paths.
- Review file permissions for the user running the OpenClaw process.
References
Read the full report for GHSA-FGVX-58P6-GJWC on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)