DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-FV94-QVG8-XQPW: GHSA-fv94-qvg8-xqpw: OpenClaw SSH Sandbox Symlink Escape and Arbitrary File Access

#security #cve #cybersecurity #ghsa

GHSA-fv94-qvg8-xqpw: OpenClaw SSH Sandbox Symlink Escape and Arbitrary File Access

Vulnerability ID: GHSA-FV94-QVG8-XQPW
CVSS Score: 8.8
Published: 2026-04-02

OpenClaw versions 2026.3.28 and earlier contain a critical symbolic link handling vulnerability within the SSH sandbox synchronization process. The framework fails to validate symbolic links before executing file uploads via the uploadDirectoryToSshTarget function. This flaw allows an attacker interacting with the AI agent to traverse directory boundaries, resulting in arbitrary file reads from the local system or arbitrary file writes to the remote sandbox host.

TL;DR

A symlink validation failure in OpenClaw allows an AI agent to read arbitrary local files or write to arbitrary remote files during SSH sandbox synchronization, leading to sandbox escape.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-61, CWE-59
  • Attack Vector: Network / AI Prompt Injection
  • CVSS v3.1 Score: 8.8 (High)
  • Impact: Arbitrary File Read, Arbitrary File Write, Sandbox Escape
  • Exploit Status: Proof of Concept (Academic)
  • Component: uploadDirectoryToSshTarget

Affected Systems

  • OpenClaw framework <= 2026.3.28
  • Node.js environments running openclaw npm package
  • Remote SSH sandbox hosts connected to vulnerable OpenClaw instances
  • openclaw: <= 2026.3.28 (Fixed in: 2026.3.31)

Code Analysis

Commit: 3d5af14

Fix: Prevent symbolic links from escaping the SSH sandbox upload directory.

Added assertSafeUploadSymlinks function using fs.readdir withFileTypes: true to validate symlinks using resolveBoundaryPath.
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade the openclaw npm package to version 2026.3.31 or later.
  • Enable Human-in-the-Loop (HITL) mode to intercept and review autonomous agent file operations.
  • Enforce strict least-privilege permissions for the SSH user account executing the sandbox environment.
  • Implement filesystem monitoring on local agent workspaces to detect anomalous symbolic link creation.

Remediation Steps:

  1. Identify all projects utilizing the 'openclaw' npm package within your environment.
  2. Modify package.json files to require 'openclaw' at version '>=2026.3.31'.
  3. Execute 'npm update openclaw' or equivalent package manager commands to retrieve the patched version.
  4. Rebuild and redeploy applications utilizing the framework.
  5. Audit sandbox execution environments to verify SSH users lack permissions to modify configuration files outside the designated sandbox directory.

References

Read the full report for GHSA-FV94-QVG8-XQPW on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)