Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.5
OpenClaw Exposes Local Files via Symlink Attack
GHSA-rx3g-mvc3-qfjf
Summary
OpenClaw's avatar handling allowed local files outside the workspace to be accessed by unauthorized users. This means that confidential files on the local system could be leaked if an attacker exploits this vulnerability. To fix this, update OpenClaw to version 2026.2.22 or later.
What to do
- Update openclaw to version 2026.2.22.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.22 | 2026.2.22 |
Original title
OpenClaw's avatar symlink traversal can expose out-of-workspace local files
Original description
### Summary
OpenClaw avatar handling allowed a symlink traversal path that could expose local files outside an agent workspace through gateway avatar surfaces.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.2.21`, plus prereleases `2026.2.21-1` and `2026.2.21-2`
- Latest published version at triage time (2026-02-22): `2026.2.21-2` (affected)
- Planned patched version (pre-set for release workflow): `2026.2.22`
### Details
In vulnerable builds, local avatar resolution could follow symlinks and return file bytes from outside the configured workspace boundary.
The issue was hardened in two paths:
1. Gateway avatar metadata resolution now enforces canonical containment, `O_NOFOLLOW`, and fd/file-identity checks.
2. Control UI avatar serving now rejects symlink paths and enforces fd/file-identity and size checks before reads.
### Fix Commit(s)
- `3d0337504349954237d09e4d957df5cb844d5e77`
- `6970c2c2db3ee069ef0fff0ade5cfbdd0134f9d2`
### Release Process Note
`patched_versions` is pre-set to `>= 2026.2.22` so after npm release, the remaining action is to publish this advisory.
### Impact
Confidentiality impact only: local files readable by the OpenClaw process could be disclosed via avatar response surfaces.
OpenClaw thanks @tdjackey for reporting.
OpenClaw avatar handling allowed a symlink traversal path that could expose local files outside an agent workspace through gateway avatar surfaces.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.2.21`, plus prereleases `2026.2.21-1` and `2026.2.21-2`
- Latest published version at triage time (2026-02-22): `2026.2.21-2` (affected)
- Planned patched version (pre-set for release workflow): `2026.2.22`
### Details
In vulnerable builds, local avatar resolution could follow symlinks and return file bytes from outside the configured workspace boundary.
The issue was hardened in two paths:
1. Gateway avatar metadata resolution now enforces canonical containment, `O_NOFOLLOW`, and fd/file-identity checks.
2. Control UI avatar serving now rejects symlink paths and enforces fd/file-identity and size checks before reads.
### Fix Commit(s)
- `3d0337504349954237d09e4d957df5cb844d5e77`
- `6970c2c2db3ee069ef0fff0ade5cfbdd0134f9d2`
### Release Process Note
`patched_versions` is pre-set to `>= 2026.2.22` so after npm release, the remaining action is to publish this advisory.
### Impact
Confidentiality impact only: local files readable by the OpenClaw process could be disclosed via avatar response surfaces.
OpenClaw thanks @tdjackey for reporting.
ghsa CVSS3.1
5.5
Vulnerability type
CWE-22
Path Traversal
CWE-59
Link Following
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026