PT-2026-57891 · Openclaw · Openclaw

Rex Liu

·

Published

2026-07-13

·

Updated

2026-07-13

·

CVE-2026-62189

CVSS v3.1

7.1

High

VectorAV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
OpenClaw versions before 2026.6.9 contain a symlink following vulnerability in the mirror sync feature that allows lower-trust callers to perform actions requiring stronger authorization. Attackers can exploit remote symlink parents to bypass policy checks and authorization boundaries when the feature is enabled and reachable.

Fix

Time Of Check To Time Of Use

Link Following

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-62189

Affected Products

Openclaw