PT-2026-22533 · Npm · Openclaw
Published
2026-02-19
·
Updated
2026-02-19
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Summary
In affected versions, when
apply patch was enabled and the agent ran without filesystem sandbox containment, crafted paths could cause file writes/deletes outside the configured workspace directory.Affected Packages / Versions
- Package:
openclaw(npm) - Affected:
<= 2026.2.13 - Fixed:
>= 2026.2.14
Details
The non-sandbox path resolution in
apply patch did not enforce workspace containment. Inputs like ../../... or absolute paths could escape the working directory in non-sandboxed mode.Impact
Practical impact depends on deployment and who can trigger tool execution. This is most relevant when tool invocation is exposed to less-trusted callers or when operators expected workspace-only containment.
Workarounds
- Keep
tools.exec.applyPatch.enableddisabled if you do not needapply patch. - Keep
tools.exec.applyPatch.workspaceOnlyat its secure default oftrue. - Restrict who can trigger tool execution (and which tools are allowlisted).
Configuration Note
tools.exec.applyPatch.workspaceOnly: false intentionally opts out of workspace containment and can re-enable outside-workspace writes/deletes.Fix
- PR: https://github.com/openclaw/openclaw/pull/16405
- Merge commit:
5544646a09c0121fca7d7093812dc2de8437c7f1
Credits
Thanks to @p80n-sec for reporting this issue.
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw