Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
3.3
OpenClaw Control UI Allows Access to Sensitive Files
GHSA-5ghc-98wh-gwwf
Summary
OpenClaw's Control UI has a security flaw that lets attackers access files outside the intended area by creating a symbolic link. This could expose sensitive information. To fix this, update to the latest version of OpenClaw, which is 2026.2.22. If you can't update right away, be cautious about what files are accessible to the Control UI.
What to do
- Update steipete openclaw to version 2026.2.22.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | <= 2026.2.22 | 2026.2.22 |
Original title
OpenClaw's Control UI Static File Handler Follows Symlinks and Allows Out-of-Root File Read
Original description
### Summary
The Control UI static file handler previously validated asset paths lexically and then served files with APIs that follow symbolic links. A symlink placed under the Control UI root could cause out-of-root file reads.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published version observed: `2026.2.21-2`
- Affected versions: `<=2026.2.21-2`
- Planned fixed release version: `2026.2.22`
### Technical Details
The vulnerable flow was in `src/gateway/control-ui.ts`, where `path.join(...)` + string-prefix checks were followed by file reads that resolved symlinks. This allowed directory-confinement bypasses when symlinks existed inside the Control UI root.
The fix now enforces realpath containment and verifies file identity before serving Control UI assets and SPA fallback `index.html`.
### Impact
- Vulnerability type: path traversal / external file exposure via symlink following.
- Primary impact: confidentiality (out-of-root file read).
- Severity guidance: low in supported trusted-operator deployments; can be higher in unsupported shared-writable setups.
### Fix Commit(s)
- `7c500ff6236fa087ec1ec88696ca9f6881e90dc5`
### Release Process Note
`patched_versions` is pre-set to the planned next release (`2026.2.22`). After npm release is available, publish the advisory.
OpenClaw thanks @tdjackey for reporting.
The Control UI static file handler previously validated asset paths lexically and then served files with APIs that follow symbolic links. A symlink placed under the Control UI root could cause out-of-root file reads.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published version observed: `2026.2.21-2`
- Affected versions: `<=2026.2.21-2`
- Planned fixed release version: `2026.2.22`
### Technical Details
The vulnerable flow was in `src/gateway/control-ui.ts`, where `path.join(...)` + string-prefix checks were followed by file reads that resolved symlinks. This allowed directory-confinement bypasses when symlinks existed inside the Control UI root.
The fix now enforces realpath containment and verifies file identity before serving Control UI assets and SPA fallback `index.html`.
### Impact
- Vulnerability type: path traversal / external file exposure via symlink following.
- Primary impact: confidentiality (out-of-root file read).
- Severity guidance: low in supported trusted-operator deployments; can be higher in unsupported shared-writable setups.
### Fix Commit(s)
- `7c500ff6236fa087ec1ec88696ca9f6881e90dc5`
### Release Process Note
`patched_versions` is pre-set to the planned next release (`2026.2.22`). After npm release is available, publish the advisory.
OpenClaw thanks @tdjackey for reporting.
ghsa CVSS3.1
3.3
Vulnerability type
CWE-22
Path Traversal
Published: 2 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026