Vulnerability Description
OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in the agents.files.get and agents.files.set methods that allows reading and writing files outside the agent workspace. Attackers can exploit symlinked allowlisted files to access arbitrary host files within gateway process permissions, potentially enabling code execution through file overwrite attacks.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openclaw | Openclaw | < 2026.2.25 |
Related Weaknesses (CWE)
References
- https://github.com/openclaw/openclaw/commit/125f4071bcbc0de32e769940d07967db47f0Patch
- https://github.com/openclaw/openclaw/security/advisories/GHSA-fgvx-58p6-gjwcMitigationVendor Advisory
- https://www.vulncheck.com/advisories/openclaw-symlink-traversal-in-agents-files-Third Party Advisory
FAQ
What is CVE-2026-32013?
CVE-2026-32013 is a vulnerability with a CVSS score of 8.8 (HIGH). OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in the agents.files.get and agents.files.set methods that allows reading and writing files outside the agent workspace. A...
How severe is CVE-2026-32013?
CVE-2026-32013 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32013?
Check the references section above for vendor advisories and patch information. Affected products include: Openclaw Openclaw.