PT-2026-25472 · Npm · Openclaw
Published
2026-03-03
·
Updated
2026-03-03
CVSS v4.0
7.0
High
| Vector | AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N |
Summary
In
openclaw up to and including 2026.2.23 (latest npm release as of February 24, 2026), sandbox bind-source validation could be bypassed when a bind source used a symlinked parent plus a non-existent leaf path.Affected Packages / Versions
- Package:
openclaw(npm) - Affected:
<= 2026.2.23 - Patched:
>= 2026.2.24(planned next release)
Root Cause
validateBindMounts previously relied on full-path realpath only when the full source path already existed. For missing-leaf paths, parent symlink traversal was not fully canonicalized before allowed-root and blocked-path checks.Security Impact
A source path that looked inside an allowed root could resolve outside that root (including blocked runtime paths) once the missing leaf was created, weakening sandbox bind-source boundary enforcement.
Fix
The validation path now canonicalizes through the nearest existing ancestor, then always re-checks the canonical path against both:
- allowed source roots
- blocked runtime paths
Verification
pnpm checkpnpm exec vitest run --config vitest.gateway.config.tspnpm test:fast- Added regression tests for symlink-parent + missing-leaf bypass patterns.
Fix Commit(s)
b5787e4abba0dcc6baf09051099f6773c1679ec1
Release Process Note
patched versions is pre-set to the planned next release (2026.2.24) so after npm publish the advisory can be published without further field edits.OpenClaw thanks @tdjackey for reporting.
Publication Update (2026-02-25)
openclaw@2026.2.24 is published on npm and contains the fix commit(s) listed above. This advisory now marks >= 2026.2.24 as patched.Fix
Link Following
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Openclaw