Description
OpenClaw versions prior to 2026.2.22 contain a symlink traversal vulnerability in avatar handling that allows attackers to read arbitrary files outside the configured workspace boundary. Remote attackers can exploit this by requesting avatar resources through gateway surfaces to disclose local files accessible to the OpenClaw process.
Published: 2026-03-19
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: File Disclosure
Action: Patch Now
AI Analysis

Impact

The vulnerability is a symlink traversal flaw located in OpenClaw’s avatar handling component. An attacker can supply a request for an avatar resource through an exposed gateway surface, causing OpenClaw to follow symbolic links that lead outside the intended workspace. This allows remote attackers to read any local file that the OpenClaw process can access.

Affected Systems

OpenClaw installations running a version earlier than 2026.2.22 are impacted. No additional version granularity was provided beyond the pre‑2026.2.22 cutoff.

Risk and Exploitability

The vulnerability has a CVSS score of 6.8, indicating moderate severity. EPSS data is unavailable, and the flaw is not listed in the CISA KEV catalog. Because the flaw is remotely exploitable via public-facing avatar endpoints, it is amenable to widespread exploitation in vulnerable deployments.

Generated by OpenCVE AI on March 19, 2026 at 23:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.2.22 or later.
  • If an immediate upgrade is not feasible, disable or restrict public avatar upload and retrieval functionality to prevent unauthorized link traversal.
  • Enforce strict directory isolation for avatar image storage to eliminate the ability to resolve symlinks outside the sandbox.
  • Monitor application logs for anomalous file access or missing file errors that may indicate exploitation attempts.
  • Regularly check the vendor’s website or security advisories for additional patches or guidance.

Generated by OpenCVE AI on March 19, 2026 at 23:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rx3g-mvc3-qfjf OpenClaw's avatar symlink traversal can expose out-of-workspace local files
History

Fri, 20 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.2.22 contain a symlink traversal vulnerability in avatar handling that allows attackers to read arbitrary files outside the configured workspace boundary. Remote attackers can exploit this by requesting avatar resources through gateway surfaces to disclose local files accessible to the OpenClaw process.
Title OpenClaw < 2026.2.22 - Symlink Traversal in Avatar Handling
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-59
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-20T14:56:44.432Z

Reserved: 2026-03-10T19:48:40.709Z

Link: CVE-2026-32024

cve-icon Vulnrichment

Updated: 2026-03-20T14:56:34.958Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T22:16:36.737

Modified: 2026-03-23T17:46:50.453

Link: CVE-2026-32024

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T10:44:28Z

Weaknesses