CVE-2026-32013

EPSS 0.11%
Veröffentlicht 19.03.2026 22:16:34
Zuletzt bearbeitet 23.03.2026 18:29:35
Quelle disclosure@vulncheck.com
CVE-Watchlists
Login
Unerledigt
Login

OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in the agents.files.get and agents.files.set methods that allows reading and writing files outside the agent workspace. Attackers can exploit symlinked allowlisted files to access arbitrary host files within gateway process permissions, potentially enabling code execution through file overwrite attacks.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

OpenClaw ≫ OpenClaw SwPlatformnode.js Version < 2026.2.25

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.11%	0.299

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
disclosure@vulncheck.com	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
disclosure@vulncheck.com	8.7	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-59 Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

https://github.com/openclaw/openclaw/commit/125f4071bcbc0de32e769940d07967db47f09d3d

Patch

https://github.com/openclaw/openclaw/security/advisories/GHSA-fgvx-58p6-gjwc

Vendor Advisory

Mitigation

https://www.vulncheck.com/advisories/openclaw-symlink-traversal-in-agents-files-methods

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-32013

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-32013

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-32013

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-32013