PT-2026-25408 · Npm · Openclaw
Published
2026-03-03
·
Updated
2026-03-03
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
A workspace-only file-system guard mismatch allowed
@-prefixed absolute paths to bypass boundary validation in some tool path checks.Impact
When
tools.fs.workspaceOnly=true, certain @-prefixed absolute paths (for example @/etc/passwd) could be validated before canonicalization while runtime path handling normalized the prefix differently. In affected code paths this could permit reads outside the intended workspace boundary.Per
SECURITY.md, OpenClaw is primarily a personal-assistant runtime with trusted-user assumptions, and this path is gated behind non-default sandbox/tooling configuration. That reduces practical exposure, but the bypass is still a security bug and is fixed.Affected Packages / Versions
- Package:
openclaw(npm) - Latest published at triage time:
2026.2.23 - Affected versions:
<= 2026.2.23 - Patched versions:
>= 2026.2.24
Fix Commit(s)
9ef0fc2ff8fa7b145d1e746d6eb030b1bf692260
OpenClaw thanks @tdjackey for reporting.
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Openclaw