CWE-59
AllowedImproper Link Resolution Before File Access ('Link Following')
Abstraction: Base · Status: Draft
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
1990 vulnerabilities reference this CWE, most recent first.
GHSA-FGM4-RH7C-G9FG
Vulnerability from github – Published: 2022-05-13 01:04 – Updated: 2025-06-09 18:31systemd-tmpfiles in systemd through 237 mishandles symlinks present in non-terminal path components, which allows local users to obtain ownership of arbitrary files via vectors involving creation of a directory and a file under that directory, and later replacing that directory with a symlink. This occurs even if the fs.protected_symlinks sysctl is turned on.
{
"affected": [],
"aliases": [
"CVE-2018-6954"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-02-13T20:29:00Z",
"severity": "HIGH"
},
"details": "systemd-tmpfiles in systemd through 237 mishandles symlinks present in non-terminal path components, which allows local users to obtain ownership of arbitrary files via vectors involving creation of a directory and a file under that directory, and later replacing that directory with a symlink. This occurs even if the fs.protected_symlinks sysctl is turned on.",
"id": "GHSA-fgm4-rh7c-g9fg",
"modified": "2025-06-09T18:31:56Z",
"published": "2022-05-13T01:04:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-6954"
},
{
"type": "WEB",
"url": "https://github.com/systemd/systemd/issues/7986"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3816-1"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3816-2"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00062.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FGRW-X4F3-89H8
Vulnerability from github – Published: 2022-05-02 06:15 – Updated: 2022-05-02 06:15fusermount in FUSE before 2.7.5, and 2.8.x before 2.8.2, allows local users to unmount an arbitrary FUSE filesystem share via a symlink attack on a mountpoint.
{
"affected": [],
"aliases": [
"CVE-2010-0789"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2010-03-02T18:30:00Z",
"severity": "LOW"
},
"details": "fusermount in FUSE before 2.7.5, and 2.8.x before 2.8.2, allows local users to unmount an arbitrary FUSE filesystem share via a symlink attack on a mountpoint.",
"id": "GHSA-fgrw-x4f3-89h8",
"modified": "2022-05-02T06:15:37Z",
"published": "2022-05-02T06:15:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2010-0789"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=532940"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=558833"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/55945"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567633"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-February/034518.html"
},
{
"type": "WEB",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-February/034580.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-02/msg00003.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/38261"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/38287"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/38359"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/38437"
},
{
"type": "WEB",
"url": "http://sourceforge.net/projects/fuse/files/ReleaseNotes/fuse-2.8.3.html/view"
},
{
"type": "WEB",
"url": "http://sourceforge.net/projects/fuse/files/fuse-2.X/2.7.5/fuse-2.7.5.tar.gz/download"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2010/dsa-1989"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/37983"
},
{
"type": "WEB",
"url": "http://www.ubuntu.com/usn/USN-892-1"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2010/1107"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-FGVX-4256-89CX
Vulnerability from github – Published: 2023-10-23 15:30 – Updated: 2024-04-04 08:53Zscaler Client Connector for Windows before 4.1 writes/deletes a configuration file inside specific folders on the disk. A malicious user can replace the folder and execute code as a privileged user.
{
"affected": [],
"aliases": [
"CVE-2023-28797"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-23T14:15:09Z",
"severity": "HIGH"
},
"details": "Zscaler Client Connector for Windows before 4.1 writes/deletes a configuration file inside specific folders on the disk. A malicious user can replace the folder and execute code as a privileged user.\n\n\n\n",
"id": "GHSA-fgvx-4256-89cx",
"modified": "2024-04-04T08:53:15Z",
"published": "2023-10-23T15:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28797"
},
{
"type": "WEB",
"url": "https://help.zscaler.com/client-connector/client-connector-app-release-summary-2022"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-FGVX-58P6-GJWC
Vulnerability from github – Published: 2026-03-02 22:40 – Updated: 2026-03-20 21:36Impact
The gateway agents.files.get and agents.files.set methods allowed symlink traversal for allowlisted workspace files. A symlinked allowlisted file (for example AGENTS.md) could resolve outside the agent workspace and be read/written by the gateway process.
This could enable arbitrary host file read/write within the gateway process permissions, and chained impact up to code execution depending on which files are overwritten.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.2.24 - Latest published vulnerable version at patch time:
2026.2.24 - Patched versions:
>= 2026.2.25
Remediation
agents.files now resolves real workspace paths, enforces containment for resolved targets, rejects out-of-workspace symlink targets, and keeps in-workspace symlink targets supported. The patch also adds gateway regression tests for blocked escapes and valid in-workspace symlink behavior.
Fix Commit(s)
125f4071bcbc0de32e769940d07967db47f09d3d
Release Process Note
patched_versions is intentionally pre-set to the release (2026.2.25). Advisory published with npm release 2026.2.25.
OpenClaw thanks @tdjackey for reporting.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.25"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32013"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-02T22:40:36Z",
"nvd_published_at": "2026-03-19T22:16:34Z",
"severity": "CRITICAL"
},
"details": "## Impact\n\nThe gateway `agents.files.get` and `agents.files.set` methods allowed symlink traversal for allowlisted workspace files. A symlinked allowlisted file (for example `AGENTS.md`) could resolve outside the agent workspace and be read/written by the gateway process.\n\nThis could enable arbitrary host file read/write within the gateway process permissions, and chained impact up to code execution depending on which files are overwritten.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c= 2026.2.24`\n- Latest published vulnerable version at patch time: `2026.2.24`\n- Patched versions: `\u003e= 2026.2.25` \n\n## Remediation\n\n`agents.files` now resolves real workspace paths, enforces containment for resolved targets, rejects out-of-workspace symlink targets, and keeps in-workspace symlink targets supported. The patch also adds gateway regression tests for blocked escapes and valid in-workspace symlink behavior.\n\n## Fix Commit(s)\n\n- `125f4071bcbc0de32e769940d07967db47f09d3d`\n\n## Release Process Note\n\n`patched_versions` is intentionally pre-set to the release (`2026.2.25`). Advisory published with npm release `2026.2.25`.\n\nOpenClaw thanks @tdjackey for reporting.",
"id": "GHSA-fgvx-58p6-gjwc",
"modified": "2026-03-20T21:36:47Z",
"published": "2026-03-02T22:40:36Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fgvx-58p6-gjwc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32013"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/125f4071bcbc0de32e769940d07967db47f09d3d"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-symlink-traversal-in-agents-files-methods"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw gateway agents.files symlink escape allowed out-of-workspace file read/write"
}
GHSA-FH2P-293Q-JMXP
Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2026-02-23 18:31An elevation of privilege vulnerability exists when Group Policy improperly checks access, aka 'Group Policy Elevation of Privilege Vulnerability'.
{
"affected": [],
"aliases": [
"CVE-2020-16939"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-10-16T23:15:00Z",
"severity": "HIGH"
},
"details": "An elevation of privilege vulnerability exists when Group Policy improperly checks access, aka \u0027Group Policy Elevation of Privilege Vulnerability\u0027.",
"id": "GHSA-fh2p-293q-jmxp",
"modified": "2026-02-23T18:31:49Z",
"published": "2022-05-24T17:30:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-16939"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16939"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-20-1254"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FH37-HPVH-9H6C
Vulnerability from github – Published: 2022-05-17 05:28 – Updated: 2022-05-17 05:28The configure script in gnash 0.8.8 allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/gnash-configure-errors.$$, (2) /tmp/gnash-configure-warnings.$$, or (3) /tmp/gnash-configure-recommended.$$ files.
{
"affected": [],
"aliases": [
"CVE-2010-4337"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2011-01-14T23:00:00Z",
"severity": "LOW"
},
"details": "The configure script in gnash 0.8.8 allows local users to overwrite arbitrary files via a symlink attack on the (1) /tmp/gnash-configure-errors.$$, (2) /tmp/gnash-configure-warnings.$$, or (3) /tmp/gnash-configure-recommended.$$ files.",
"id": "GHSA-fh37-hpvh-9h6c",
"modified": "2022-05-17T05:28:31Z",
"published": "2022-05-17T05:28:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2010-4337"
},
{
"type": "WEB",
"url": "http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605419"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/42416"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/48466"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2012/dsa-2435"
},
{
"type": "WEB",
"url": "http://www.osvdb.org/69533"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/45102"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-FH38-4Q99-7449
Vulnerability from github – Published: 2022-05-02 00:05 – Updated: 2022-05-02 00:05The finger client in HP TCP/IP Services for OpenVMS 5.x allows local users to read arbitrary files via a link corresponding to a (1) .plan or (2) .project file.
{
"affected": [],
"aliases": [
"CVE-2008-3946"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2008-09-05T16:08:00Z",
"severity": "MODERATE"
},
"details": "The finger client in HP TCP/IP Services for OpenVMS 5.x allows local users to read arbitrary files via a link corresponding to a (1) .plan or (2) .project file.",
"id": "GHSA-fh38-4q99-7449",
"modified": "2022-05-02T00:05:23Z",
"published": "2022-05-02T00:05:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-3946"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/45135"
},
{
"type": "WEB",
"url": "http://deathrow.vistech.net/DEFCON16/VMS.PDF"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-FJ5J-7XPR-X2F9
Vulnerability from github – Published: 2024-06-11 18:30 – Updated: 2024-06-11 18:30Microsoft Office Remote Code Execution Vulnerability
{
"affected": [],
"aliases": [
"CVE-2024-30104"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-11T17:16:00Z",
"severity": "HIGH"
},
"details": "Microsoft Office Remote Code Execution Vulnerability",
"id": "GHSA-fj5j-7xpr-x2f9",
"modified": "2024-06-11T18:30:49Z",
"published": "2024-06-11T18:30:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-30104"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30104"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FM67-QV66-3RQH
Vulnerability from github – Published: 2022-04-12 00:00 – Updated: 2022-04-19 00:01In mobile_log_d, there is a possible symbolic link following due to an improper link resolution. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06308907; Issue ID: ALPS06308907.
{
"affected": [],
"aliases": [
"CVE-2022-20068"
],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-11T20:15:00Z",
"severity": "MODERATE"
},
"details": "In mobile_log_d, there is a possible symbolic link following due to an improper link resolution. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS06308907; Issue ID: ALPS06308907.",
"id": "GHSA-fm67-qv66-3rqh",
"modified": "2022-04-19T00:01:23Z",
"published": "2022-04-12T00:00:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-20068"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-bulletin/April-2022"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-FMFH-PCGM-2499
Vulnerability from github – Published: 2022-02-22 00:00 – Updated: 2023-09-17 09:30All versions of Samba prior to 4.15.5 are vulnerable to a malicious client using a server symlink to determine if a file or directory exists in an area of the server file system not exported under the share definition. SMB1 with unix extensions has to be enabled in order for this attack to succeed.
{
"affected": [],
"aliases": [
"CVE-2021-44141"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-59"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-02-21T18:15:00Z",
"severity": "MODERATE"
},
"details": "All versions of Samba prior to 4.15.5 are vulnerable to a malicious client using a server symlink to determine if a file or directory exists in an area of the server file system not exported under the share definition. SMB1 with unix extensions has to be enabled in order for this attack to succeed.",
"id": "GHSA-fmfh-pcgm-2499",
"modified": "2023-09-17T09:30:18Z",
"published": "2022-02-22T00:00:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44141"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202309-06"
},
{
"type": "WEB",
"url": "https://www.samba.org/samba/security/CVE-2021-44141.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-48.1
Strategy: Separation of Privilege
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
CAPEC-132: Symlink Attack
An adversary positions a symbolic link in such a manner that the targeted user or application accesses the link's endpoint, assuming that it is accessing a file with the link's name.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.