Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.6
OpenClaw can read or modify files outside its workspace
GHSA-3jx4-q2m7-r496
Summary
In certain configurations, OpenClaw can access files outside its workspace by following hard links. This can lead to the disclosure or modification of sensitive files. To fix this, update to version 2026.2.25 or later, and make sure workspace-only checks are enabled in your OpenClaw configuration.
What to do
- Update openclaw to version 2026.2.25.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.24 | 2026.2.25 |
Original title
OpenClaw: Hardlink alias checks could bypass workspace-only file boundaries in specific configurations
Original description
### Summary
In certain workspace-restricted configurations, OpenClaw could follow hardlink aliases inside the workspace that reference files outside the workspace boundary.
By default, `tools.fs.workspaceOnly` is off. This primarily affects deployments that intentionally enable workspace-only filesystem restrictions (and workspace-only `apply_patch` checks).
### Impact
- Confidentiality: out-of-workspace files could be read through in-workspace hardlink aliases.
- Integrity: out-of-workspace files could be modified through in-workspace hardlink aliases.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published version at triage time: `2026.2.24`
- Affected range: `<= 2026.2.24`
- Planned patched version: `2026.2.25`
### Fix Commit(s)
- `04d91d0319b82fd4de91ed05e9fc5219ff2ab64e` (main)
### Remediation
OpenClaw now rejects hardlinked final-file aliases during workspace boundary validation for:
- workspace-only path checks (`read` / `write` / `edit`)
- workspace-only `apply_patch` read/write paths
- sandbox mount-root path-safety checks
Regression tests were added for `apply_patch`, workspace fs tools, and sandbox fs bridge hardlink alias escapes.
OpenClaw thanks @tdjackey for reporting.
In certain workspace-restricted configurations, OpenClaw could follow hardlink aliases inside the workspace that reference files outside the workspace boundary.
By default, `tools.fs.workspaceOnly` is off. This primarily affects deployments that intentionally enable workspace-only filesystem restrictions (and workspace-only `apply_patch` checks).
### Impact
- Confidentiality: out-of-workspace files could be read through in-workspace hardlink aliases.
- Integrity: out-of-workspace files could be modified through in-workspace hardlink aliases.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published version at triage time: `2026.2.24`
- Affected range: `<= 2026.2.24`
- Planned patched version: `2026.2.25`
### Fix Commit(s)
- `04d91d0319b82fd4de91ed05e9fc5219ff2ab64e` (main)
### Remediation
OpenClaw now rejects hardlinked final-file aliases during workspace boundary validation for:
- workspace-only path checks (`read` / `write` / `edit`)
- workspace-only `apply_patch` read/write paths
- sandbox mount-root path-safety checks
Regression tests were added for `apply_patch`, workspace fs tools, and sandbox fs bridge hardlink alias escapes.
OpenClaw thanks @tdjackey for reporting.
ghsa CVSS4.0
7.6
Vulnerability type
CWE-59
Link Following
CWE-668
Published: 4 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026