Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.3
OpenClaw Gateway Can Execute Unintended Code
GHSA-659f-22xc-98f2
Summary
The OpenClaw gateway can execute malicious code if an attacker manipulates the file system and tricks the system into loading a compromised module. To fix this, OpenClaw will update its path validation to prevent this type of attack. In the meantime, ensure that hook transforms are disabled and do not allow write access to the transform directory.
What to do
- Update openclaw to version 2026.2.22.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.21-2 | 2026.2.22 |
Original title
OpenClaw hook transform path containment missed symlink-resolved escapes
Original description
## Vulnerability
Webhook transform modules were validated with lexical path checks only. A symlink under the allowed hooks transform tree could resolve outside the intended directory and be dynamically imported.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.2.21-2`
- Patched version (planned next release): `2026.2.22`
## Impact
When an attacker can cause a transform module path to reference a symlinked entry that resolves outside the trusted transform directory, the gateway may import and execute unintended JavaScript with gateway-process privileges.
## Attack Preconditions
- Hook transforms are enabled and reachable.
- Attacker can influence transform path resolution (for example via privileged config access and/or writable filesystem path in the transform tree).
- A symlink escape exists to attacker-controlled code.
## Remediation
- Enforce realpath-aware containment for existing path ancestors before dynamic import.
- Keep lexical containment checks for traversal and absolute-path escapes.
- Add regression coverage for:
- transform module symlink escape rejection,
- `hooks.transformsDir` symlink escape rejection,
- in-root symlink allow-case.
## Fix Commit(s)
- `f4dd0577b055f77af783105bd65eae32f3d5e6a1`
OpenClaw thanks @aether-ai-agent for reporting.
Webhook transform modules were validated with lexical path checks only. A symlink under the allowed hooks transform tree could resolve outside the intended directory and be dynamically imported.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.2.21-2`
- Patched version (planned next release): `2026.2.22`
## Impact
When an attacker can cause a transform module path to reference a symlinked entry that resolves outside the trusted transform directory, the gateway may import and execute unintended JavaScript with gateway-process privileges.
## Attack Preconditions
- Hook transforms are enabled and reachable.
- Attacker can influence transform path resolution (for example via privileged config access and/or writable filesystem path in the transform tree).
- A symlink escape exists to attacker-controlled code.
## Remediation
- Enforce realpath-aware containment for existing path ancestors before dynamic import.
- Keep lexical containment checks for traversal and absolute-path escapes.
- Add regression coverage for:
- transform module symlink escape rejection,
- `hooks.transformsDir` symlink escape rejection,
- in-root symlink allow-case.
## Fix Commit(s)
- `f4dd0577b055f77af783105bd65eae32f3d5e6a1`
OpenClaw thanks @aether-ai-agent for reporting.
ghsa CVSS4.0
7.3
Vulnerability type
CWE-94
Code Injection
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026