Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
OpenClaw versions before 2026.2.14: Malicious file access and deletion
GHSA-r5fq-947m-xm57
Summary
Older versions of OpenClaw allow attackers to access and delete files in unintended areas of the system. This can happen if the system is set up to allow applying patches without proper security controls. To fix this, update to OpenClaw 2026.2.14 or later.
What to do
- Update steipete openclaw to version 2026.2.14.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | <= 2026.2.14 | 2026.2.14 |
Original title
OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in apply_patch that allows attackers to write or delete files outside the configured workspace directory. When apply_patc...
Original description
OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in apply_patch that allows attackers to write or delete files outside the configured workspace directory. When apply_patch is enabled without filesystem sandbox containment, attackers can exploit crafted paths including directory traversal sequences or absolute paths to escape workspace boundaries and modify arbitrary files.
ghsa CVSS3.1
8.8
Vulnerability type
CWE-22
Path Traversal
- https://github.com/openclaw/openclaw/security/advisories/GHSA-r5fq-947m-xm57
- https://github.com/openclaw/openclaw/pull/16405
- https://github.com/openclaw/openclaw/commit/5544646a09c0121fca7d7093812dc2de8437...
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.14
- https://github.com/advisories/GHSA-r5fq-947m-xm57
- https://www.vulncheck.com/advisories/openclaw-path-traversal-in-apply-patch-via-...
- https://nvd.nist.gov/vuln/detail/CVE-2026-32060
Published: 19 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026