Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
OpenClaw agents.files allows malicious file read and write
GHSA-fgvx-58p6-gjwc
Summary
A security issue in OpenClaw allows an attacker to read and write sensitive files on the host system. This is due to a vulnerability in the way OpenClaw handles symlinks in the `agents.files` method. To fix this, update to OpenClaw version 2026.2.25 or later.
What to do
- Update openclaw to version 2026.2.25.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.25 | 2026.2.25 |
Original title
OpenClaw gateway agents.files symlink escape allowed out-of-workspace file read/write
Original description
## Impact
The gateway `agents.files.get` and `agents.files.set` methods allowed symlink traversal for allowlisted workspace files. A symlinked allowlisted file (for example `AGENTS.md`) could resolve outside the agent workspace and be read/written by the gateway process.
This could enable arbitrary host file read/write within the gateway process permissions, and chained impact up to code execution depending on which files are overwritten.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.2.24`
- Latest published vulnerable version at patch time: `2026.2.24`
- Patched versions: `>= 2026.2.25`
## Remediation
`agents.files` now resolves real workspace paths, enforces containment for resolved targets, rejects out-of-workspace symlink targets, and keeps in-workspace symlink targets supported. The patch also adds gateway regression tests for blocked escapes and valid in-workspace symlink behavior.
## Fix Commit(s)
- `125f4071bcbc0de32e769940d07967db47f09d3d`
## Release Process Note
`patched_versions` is intentionally pre-set to the release (`2026.2.25`). Advisory published with npm release `2026.2.25`.
OpenClaw thanks @tdjackey for reporting.
The gateway `agents.files.get` and `agents.files.set` methods allowed symlink traversal for allowlisted workspace files. A symlinked allowlisted file (for example `AGENTS.md`) could resolve outside the agent workspace and be read/written by the gateway process.
This could enable arbitrary host file read/write within the gateway process permissions, and chained impact up to code execution depending on which files are overwritten.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.2.24`
- Latest published vulnerable version at patch time: `2026.2.24`
- Patched versions: `>= 2026.2.25`
## Remediation
`agents.files` now resolves real workspace paths, enforces containment for resolved targets, rejects out-of-workspace symlink targets, and keeps in-workspace symlink targets supported. The patch also adds gateway regression tests for blocked escapes and valid in-workspace symlink behavior.
## Fix Commit(s)
- `125f4071bcbc0de32e769940d07967db47f09d3d`
## Release Process Note
`patched_versions` is intentionally pre-set to the release (`2026.2.25`). Advisory published with npm release `2026.2.25`.
OpenClaw thanks @tdjackey for reporting.
ghsa CVSS4.0
9.3
Vulnerability type
CWE-22
Path Traversal
CWE-59
Link Following
Published: 2 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026