PT-2026-25118 · Npm · Openclaw

Publicado

2026-03-02

·

Atualizado

2026-03-02

CVSS v3.1

8.8

Alta

VetorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Impact

The gateway agents.files.get and agents.files.set methods allowed symlink traversal for allowlisted workspace files. A symlinked allowlisted file (for example AGENTS.md) could resolve outside the agent workspace and be read/written by the gateway process.
This could enable arbitrary host file read/write within the gateway process permissions, and chained impact up to code execution depending on which files are overwritten.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Affected versions: <= 2026.2.24
  • Latest published vulnerable version at patch time: 2026.2.24
  • Patched versions: >= 2026.2.25

Remediation

agents.files now resolves real workspace paths, enforces containment for resolved targets, rejects out-of-workspace symlink targets, and keeps in-workspace symlink targets supported. The patch also adds gateway regression tests for blocked escapes and valid in-workspace symlink behavior.

Fix Commit(s)

  • 125f4071bcbc0de32e769940d07967db47f09d3d

Release Process Note

patched versions is intentionally pre-set to the release (2026.2.25). Advisory published with npm release 2026.2.25.
OpenClaw thanks @tdjackey for reporting.

Correção

Path traversal

Link Following

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-22CWE-59

Identificadores relacionados

GHSA-FGVX-58P6-GJWC

Produtos afetados

Openclaw