The vulnerability is a symlink traversal flaw in the agents.create and agents.update handlers, where a file channel append operation is performed on an IDENTITY.md file without checking if the target is a symbolic link. An attacker with access to a workspace can create a symlink that points to any file on the system. When the application appends data to IDENTITY.md, the symlink causes attacker-controlled content to be written to the target file. This can be leveraged for malicious modifications such as injecting commands into crontab entries or adding unauthorized SSH keys, leading to remote code execution. The weakness maps to CWE‑61, a subcategory of path traversal.

OpenClaw software up through version 2026.2.22 is affected. The flaw exists in the agents component of the product. Vendors and system administrators should verify that their deployment is not running a version older than 2026.2.22.

The CVSS base score is 6.9, indicating a medium severity with notable impact. No EPSS score is available, so current exploit prevalence is unknown, but the vulnerability is not listed in the CISA KEV catalog. Attackers would need workspace access to create the malicious symlink, making privilege or access control a key prerequisite. If such access is granted, the resulting path traversal can write to arbitrary files, leading to complete compromise of the host. Given the potential for remote code execution and the moderate severity rating, the risk is considered significant for exposed deployments.