Vulnerability Description
OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in apply_patch that allows attackers to write or delete files outside the configured workspace directory. When apply_patch is enabled without filesystem sandbox containment, attackers can exploit crafted paths including directory traversal sequences or absolute paths to escape workspace boundaries and modify arbitrary files.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openclaw | Openclaw | < 2026.2.14 |
Related Weaknesses (CWE)
References
- https://github.com/openclaw/openclaw/commit/5544646a09c0121fca7d7093812dc2de8437Patch
- https://github.com/openclaw/openclaw/security/advisories/GHSA-r5fq-947m-xm57PatchVendor Advisory
- https://www.vulncheck.com/advisories/openclaw-path-traversal-in-apply-patch-via-Third Party Advisory
FAQ
What is CVE-2026-32060?
CVE-2026-32060 is a vulnerability with a CVSS score of 8.8 (HIGH). OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in apply_patch that allows attackers to write or delete files outside the configured workspace directory. When apply_patch i...
How severe is CVE-2026-32060?
CVE-2026-32060 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32060?
Check the references section above for vendor advisories and patch information. Affected products include: Openclaw Openclaw.