PT-2026-25130 · Npm · Openclaw
Published
2026-03-03
·
Updated
2026-03-03
CVSS v4.0
6.8
Medium
| Vector | AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Summary
OpenClaw avatar handling allowed a symlink traversal path that could expose local files outside an agent workspace through gateway avatar surfaces.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.2.21, plus prereleases2026.2.21-1and2026.2.21-2 - Latest published version at triage time (2026-02-22):
2026.2.21-2(affected) - Planned patched version (pre-set for release workflow):
2026.2.22
Details
In vulnerable builds, local avatar resolution could follow symlinks and return file bytes from outside the configured workspace boundary.
The issue was hardened in two paths:
- Gateway avatar metadata resolution now enforces canonical containment,
O NOFOLLOW, and fd/file-identity checks. - Control UI avatar serving now rejects symlink paths and enforces fd/file-identity and size checks before reads.
Fix Commit(s)
3d0337504349954237d09e4d957df5cb844d5e776970c2c2db3ee069ef0fff0ade5cfbdd0134f9d2
Release Process Note
patched versions is pre-set to >= 2026.2.22 so after npm release, the remaining action is to publish this advisory.Impact
Confidentiality impact only: local files readable by the OpenClaw process could be disclosed via avatar response surfaces.
OpenClaw thanks @tdjackey for reporting.
Fix
Link Following
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Openclaw