GHSA-M8V2-6WWH-R4GC: Sandbox Escape via Symlink Manipulation in OpenClaw
Vulnerability ID: GHSA-M8V2-6WWH-R4GC
CVSS Score: 8.2
Published: 2026-03-03
A critical logic error in OpenClaw's path validation mechanism allows attackers to bypass sandbox restrictions. By requesting bind mounts for non-existent files within symlinked parent directories, attackers can trick the validation logic into accepting paths that resolve to restricted host directories (e.g., /etc or /var). This effectively breaks the security boundary between the sandboxed agent and the host system.
TL;DR
OpenClaw failed to resolve symlinks for paths where the final file (leaf) did not exist. Attackers can exploit this by creating symlinks to sensitive host directories and mounting non-existent files through them, achieving arbitrary file write access on the host.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-59 (Link Following)
- Attack Vector: Local (Sandbox Escape)
- Impact: Host Filesystem Read/Write
- CVSS Score: 8.2 (High)
- Exploit Status: PoC Available
- Affected Component: validateBindMounts
Affected Systems
- OpenClaw AI Agent Platform
-
OpenClaw: <= 2026.2.23 (Fixed in:
Post-2026.2.23)
Code Analysis
Commit: b5787e4
Fix: correctly resolve parent paths for non-existent files to prevent sandbox escape
Mitigation Strategies
- Update OpenClaw to the latest stable release post-2026.2.23.
- Restrict agent permissions to prevent symlink creation if not required.
- Audit
allowedSourceRootsconfiguration.
Remediation Steps:
- Stop the OpenClaw service.
- Pull the latest code or docker image containing commit b5787e4abba0dcc6baf09051099f6773c1679ec1.
- Verify the version is > 2026.2.23.
- Restart the service.
References
Read the full report for GHSA-M8V2-6WWH-R4GC on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)