PT-2026-25512 · Npm · Openclaw
Published
2026-03-04
·
Updated
2026-03-04
CVSS v4.0
7.6
High
| Vector | AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
Summary
In certain workspace-restricted configurations, OpenClaw could follow hardlink aliases inside the workspace that reference files outside the workspace boundary.
By default,
tools.fs.workspaceOnly is off. This primarily affects deployments that intentionally enable workspace-only filesystem restrictions (and workspace-only apply patch checks).Impact
- Confidentiality: out-of-workspace files could be read through in-workspace hardlink aliases.
- Integrity: out-of-workspace files could be modified through in-workspace hardlink aliases.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published version at triage time:
2026.2.24 - Affected range:
<= 2026.2.24 - Planned patched version:
2026.2.25
Fix Commit(s)
04d91d0319b82fd4de91ed05e9fc5219ff2ab64e(main)
Remediation
OpenClaw now rejects hardlinked final-file aliases during workspace boundary validation for:
- workspace-only path checks (
read/write/edit) - workspace-only
apply patchread/write paths - sandbox mount-root path-safety checks
Regression tests were added for
apply patch, workspace fs tools, and sandbox fs bridge hardlink alias escapes.OpenClaw thanks @tdjackey for reporting.
Fix
Link Following
Exposure of Resource to Wrong Sphere
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Openclaw