Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.0
OpenClaw: Malicious Files Can Be Written Outside Workspace
GHSA-qcc4-p59m-p54m
Summary
Some versions of OpenClaw, a software development tool, have a security flaw that could allow malicious files to be written outside of the intended workspace. This could potentially compromise the integrity of files on the host system. To protect your system, update to the latest version of OpenClaw (2026.2.26) as soon as it's available.
What to do
- Update openclaw to version 2026.2.26.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.25 | 2026.2.26 |
Original title
OpenClaw: Sandbox dangling-symlink alias handling could bypass workspace-only write boundary
Original description
### Summary
A sandbox boundary-validation gap in symlink alias handling allowed certain workspace-only write paths to be treated as in-boundary even when they could resolve outside the workspace/sandbox root.
### Affected Packages / Versions
- Package: npm `openclaw`
- Affected versions: `<= 2026.2.25`
- Latest published npm version included in affected range: `2026.2.25` (checked on February 26, 2026)
- Patched version (pre-set for release): `2026.2.26`
### Technical Details
In affected versions, dangling symlink hops could be accepted during boundary checks under missing-target conditions. For workspace-only write flows (including `apply_patch`), this could allow writes to resolve outside the configured workspace/sandbox boundary.
The fix resolves symlink targets through existing ancestors and fails closed when canonical resolution escapes the configured boundary.
### Impact
- Boundary-confined write operations could be redirected outside the configured workspace/sandbox root.
- Primary impact is integrity of host-side files reachable from that path resolution.
### Fix Commit(s)
- `4fd29a35bb85a1898ebff518364c467058b50e14`
### Release Process Note
`patched_versions` is pre-set to the planned next release (`2026.2.26`) so once npm `2026.2.26` is published, the advisory can be published without further field edits.
Thanks @tdjackey for reporting.
A sandbox boundary-validation gap in symlink alias handling allowed certain workspace-only write paths to be treated as in-boundary even when they could resolve outside the workspace/sandbox root.
### Affected Packages / Versions
- Package: npm `openclaw`
- Affected versions: `<= 2026.2.25`
- Latest published npm version included in affected range: `2026.2.25` (checked on February 26, 2026)
- Patched version (pre-set for release): `2026.2.26`
### Technical Details
In affected versions, dangling symlink hops could be accepted during boundary checks under missing-target conditions. For workspace-only write flows (including `apply_patch`), this could allow writes to resolve outside the configured workspace/sandbox boundary.
The fix resolves symlink targets through existing ancestors and fails closed when canonical resolution escapes the configured boundary.
### Impact
- Boundary-confined write operations could be redirected outside the configured workspace/sandbox root.
- Primary impact is integrity of host-side files reachable from that path resolution.
### Fix Commit(s)
- `4fd29a35bb85a1898ebff518364c467058b50e14`
### Release Process Note
`patched_versions` is pre-set to the planned next release (`2026.2.26`) so once npm `2026.2.26` is published, the advisory can be published without further field edits.
Thanks @tdjackey for reporting.
ghsa CVSS3.1
7.0
Vulnerability type
CWE-59
Link Following
CWE-367
Published: 12 Mar 2026 · Updated: 13 Mar 2026 · First seen: 12 Mar 2026