Skip to content

OpenClaw: Sandbox dangling-symlink alias handling could bypass workspace-only write boundary

High severity GitHub Reviewed Published Feb 26, 2026 in openclaw/openclaw

Package

npm openclaw (npm)

Affected versions

<= 2026.2.25

Patched versions

2026.2.26

Description

Summary

A sandbox boundary-validation gap in symlink alias handling allowed certain workspace-only write paths to be treated as in-boundary even when they could resolve outside the workspace/sandbox root.

Affected Packages / Versions

  • Package: npm openclaw
  • Affected versions: <= 2026.2.25
  • Latest published npm version included in affected range: 2026.2.25 (checked on February 26, 2026)
  • Patched version (pre-set for release): 2026.2.26

Technical Details

In affected versions, dangling symlink hops could be accepted during boundary checks under missing-target conditions. For workspace-only write flows (including apply_patch), this could allow writes to resolve outside the configured workspace/sandbox boundary.

The fix resolves symlink targets through existing ancestors and fails closed when canonical resolution escapes the configured boundary.

Impact

  • Boundary-confined write operations could be redirected outside the configured workspace/sandbox root.
  • Primary impact is integrity of host-side files reachable from that path resolution.

Fix Commit(s)

  • 4fd29a35bb85a1898ebff518364c467058b50e14

Release Process Note

patched_versions is pre-set to the planned next release (2026.2.26) so once npm 2026.2.26 is published, the advisory can be published without further field edits.

Thanks @tdjackey for reporting.

References

@steipete steipete published to openclaw/openclaw Feb 26, 2026
Published to the GitHub Advisory Database Mar 12, 2026
Reviewed Mar 12, 2026

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS score

Weaknesses

Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. Learn more on MITRE.

Time-of-check Time-of-use (TOCTOU) Race Condition

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-qcc4-p59m-p54m

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.