Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
OpenClaw: Malicious Avatar Traversal in Gateway Session
GHSA-9mph-4f7v-fmvh
Summary
A vulnerability in OpenClaw allows an attacker to access and read files outside the intended workspace by manipulating symlinks. This could potentially expose sensitive information. To fix the issue, OpenClaw developers will update the software to prevent this type of attack, and users should update to the latest version as soon as it becomes available.
What to do
- Update openclaw to version 2026.2.22.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.22 | 2026.2.22 |
Original title
OpenClaw has agent avatar symlink traversal in gateway session metadata
Original description
## Summary
A crafted local avatar path could follow a symlink outside the agent workspace and return arbitrary file contents as a base64 `data:` URL in gateway responses.
## Impact
- Confidentiality impact: local file read in the gateway process context.
- Exfiltration path: `agents.list` can return the resulting `avatarUrl` payload.
## Affected Components
- `src/gateway/session-utils.ts` (`resolveIdentityAvatarUrl`)
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Introduced: `v2026.1.21`
- Affected published versions: `<= 2026.2.21-2`
- Planned patched version: `2026.2.22`
## Remediation
- Resolve workspace and avatar paths with `realpath` and enforce realpath containment.
- Open files with `O_NOFOLLOW` when available.
- Compare pre-open and opened file identity (`dev`/`ino`) to block swap races.
- Add regression tests for outside-workspace symlink rejection and in-workspace symlink allowance.
## Fix Commit(s)
- `3d0337504349954237d09e4d957df5cb844d5e77`
OpenClaw thanks @aether-ai-agent for reporting.
A crafted local avatar path could follow a symlink outside the agent workspace and return arbitrary file contents as a base64 `data:` URL in gateway responses.
## Impact
- Confidentiality impact: local file read in the gateway process context.
- Exfiltration path: `agents.list` can return the resulting `avatarUrl` payload.
## Affected Components
- `src/gateway/session-utils.ts` (`resolveIdentityAvatarUrl`)
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Introduced: `v2026.1.21`
- Affected published versions: `<= 2026.2.21-2`
- Planned patched version: `2026.2.22`
## Remediation
- Resolve workspace and avatar paths with `realpath` and enforce realpath containment.
- Open files with `O_NOFOLLOW` when available.
- Compare pre-open and opened file identity (`dev`/`ino`) to block swap races.
- Add regression tests for outside-workspace symlink rejection and in-workspace symlink allowance.
## Fix Commit(s)
- `3d0337504349954237d09e4d957df5cb844d5e77`
OpenClaw thanks @aether-ai-agent for reporting.
ghsa CVSS4.0
6.9
Vulnerability type
CWE-59
Link Following
Published: 4 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026