Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.6
OpenClaw: Malicious Files Can Be Written Outside Workspace
GHSA-mgrq-9f93-wpp5
Summary
A security issue in OpenClaw allows attackers to write files outside the intended workspace, potentially leading to unauthorized access or data tampering. This affects versions of OpenClaw installed through npm prior to version 2026.2.26. To fix this issue, update to the latest version of OpenClaw, which will be released soon.
What to do
- Update openclaw to version 2026.2.26.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.25 | 2026.2.26 |
Original title
OpenClaw: workspace path guard bypass on non-existent out-of-root symlink leaf
Original description
### Summary
`openclaw` had a workspace boundary bypass in workspace-only path validation: when an in-workspace symlink pointed outside the workspace to a non-existent leaf, the first write could pass validation and create the file outside the workspace.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Vulnerable versions: `<= 2026.2.25`
- Patched versions: `>= 2026.2.26` (pre-set for next planned release)
- Latest published npm version at update time: `2026.2.25`
### Details
The boundary check path resolved aliases in a way that allowed a non-existent out-of-root symlink target to pass the initial validation window. A first write through the guarded workspace path could therefore escape the workspace boundary.
The fix hardens canonical boundary resolution so missing-leaf alias paths are evaluated against canonical containment, while preserving valid in-root aliases. This closes the first-write escape condition without regressing valid in-root alias usage.
### Fix Commit(s)
- `46eba86b45e9db05b7b792e914c4fe0de1b40a23`
- `1aef45bc060b28a0af45a67dc66acd36aef763c9`
### Release Process Note
`patched_versions` is pre-set to the planned next release (`2026.2.26`). Once npm release `2026.2.26` is published, this advisory can be published directly.
Thanks @tdjackey for reporting.
`openclaw` had a workspace boundary bypass in workspace-only path validation: when an in-workspace symlink pointed outside the workspace to a non-existent leaf, the first write could pass validation and create the file outside the workspace.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Vulnerable versions: `<= 2026.2.25`
- Patched versions: `>= 2026.2.26` (pre-set for next planned release)
- Latest published npm version at update time: `2026.2.25`
### Details
The boundary check path resolved aliases in a way that allowed a non-existent out-of-root symlink target to pass the initial validation window. A first write through the guarded workspace path could therefore escape the workspace boundary.
The fix hardens canonical boundary resolution so missing-leaf alias paths are evaluated against canonical containment, while preserving valid in-root aliases. This closes the first-write escape condition without regressing valid in-root alias usage.
### Fix Commit(s)
- `46eba86b45e9db05b7b792e914c4fe0de1b40a23`
- `1aef45bc060b28a0af45a67dc66acd36aef763c9`
### Release Process Note
`patched_versions` is pre-set to the planned next release (`2026.2.26`). Once npm release `2026.2.26` is published, this advisory can be published directly.
Thanks @tdjackey for reporting.
ghsa CVSS3.1
7.6
Vulnerability type
CWE-22
Path Traversal
CWE-59
Link Following
Published: 12 Mar 2026 · Updated: 13 Mar 2026 · First seen: 12 Mar 2026