DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-RX3G-MVC3-QFJF: GHSA-rx3g-mvc3-qfjf: Arbitrary File Read via Avatar Symlink Traversal in OpenClaw

#security #cve #cybersecurity #ghsa

GHSA-rx3g-mvc3-qfjf: Arbitrary File Read via Avatar Symlink Traversal in OpenClaw

Vulnerability ID: GHSA-RX3G-MVC3-QFJF
CVSS Score: 6.6
Published: 2026-03-03

A symbolic link traversal vulnerability exists in the OpenClaw AI assistant platform, specifically within the agent avatar resolution logic. This flaw allows attackers with write access to an agent's workspace to create symbolic links pointing to arbitrary files on the host filesystem. When the gateway attempts to serve or process the agent's avatar, it follows the symbolic link and discloses the target file's contents, bypassing workspace isolation boundaries. The vulnerability also includes a Time-of-Check Time-of-Use (TOCTOU) race condition.

TL;DR

OpenClaw versions before 2026.1.29 are vulnerable to arbitrary file reads. Attackers can create malicious symbolic links in an agent's workspace (e.g., naming a link 'avatar.png' that points to '/etc/passwd'). The system follows these links during avatar resolution, exposing sensitive host files.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-59 (Link Following)
  • Attack Vector: Local / Remote (via Workspace)
  • CVSS Score: 6.6 (Medium)
  • Impact: Confidentiality Loss (Arbitrary File Read)
  • Exploit Status: PoC Available
  • Platform: Node.js / TypeScript

Affected Systems

  • OpenClaw Gateway
  • OpenClaw Agent Runtime
  • OpenClaw: < 2026.1.29 (Fixed in: 2026.1.29)

Code Analysis

Commit: 3d03375

Block avatar symlink escapes

Commit: 6970c2c

Harden control-ui avatar reads against TOCTOU

Mitigation Strategies

  • Upgrade OpenClaw to version 2026.1.29 or later.
  • Run the application with a low-privilege service account.
  • Implement filesystem monitoring to detect unauthorized symlink creation.
  • Use containerization to isolate the application environment.

Remediation Steps:

  1. Stop the OpenClaw service.
  2. Pull the latest release: git pull or docker pull openclaw/openclaw:latest.
  3. Verify the version matches or exceeds 2026.1.29.
  4. Run openclaw doctor --fix to verify integrity.
  5. Restart the service.

References

Read the full report for GHSA-RX3G-MVC3-QFJF on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)