GHSA-9MPH-4F7V-FMVH
Vulnerability from github – Published: 2026-03-04 19:02 – Updated: 2026-03-04 19:02
VLAI
Summary
OpenClaw has agent avatar symlink traversal in gateway session metadata
Details
Summary
A crafted local avatar path could follow a symlink outside the agent workspace and return arbitrary file contents as a base64 data: URL in gateway responses.
Impact
- Confidentiality impact: local file read in the gateway process context.
- Exfiltration path:
agents.listcan return the resultingavatarUrlpayload.
Affected Components
src/gateway/session-utils.ts(resolveIdentityAvatarUrl)
Affected Packages / Versions
- Package:
openclaw(npm) - Introduced:
v2026.1.21 - Affected published versions:
<= 2026.2.21-2 - Planned patched version:
2026.2.22
Remediation
- Resolve workspace and avatar paths with
realpathand enforce realpath containment. - Open files with
O_NOFOLLOWwhen available. - Compare pre-open and opened file identity (
dev/ino) to block swap races. - Add regression tests for outside-workspace symlink rejection and in-workspace symlink allowance.
Fix Commit(s)
3d0337504349954237d09e4d957df5cb844d5e77
OpenClaw thanks @aether-ai-agent for reporting.
Severity
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.22"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-59"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-04T19:02:59Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\nA crafted local avatar path could follow a symlink outside the agent workspace and return arbitrary file contents as a base64 `data:` URL in gateway responses.\n\n## Impact\n- Confidentiality impact: local file read in the gateway process context.\n- Exfiltration path: `agents.list` can return the resulting `avatarUrl` payload.\n\n## Affected Components\n- `src/gateway/session-utils.ts` (`resolveIdentityAvatarUrl`)\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Introduced: `v2026.1.21`\n- Affected published versions: `\u003c= 2026.2.21-2`\n- Planned patched version: `2026.2.22`\n\n## Remediation\n- Resolve workspace and avatar paths with `realpath` and enforce realpath containment.\n- Open files with `O_NOFOLLOW` when available.\n- Compare pre-open and opened file identity (`dev`/`ino`) to block swap races.\n- Add regression tests for outside-workspace symlink rejection and in-workspace symlink allowance.\n\n## Fix Commit(s)\n- `3d0337504349954237d09e4d957df5cb844d5e77`\n\nOpenClaw thanks @aether-ai-agent for reporting.",
"id": "GHSA-9mph-4f7v-fmvh",
"modified": "2026-03-04T19:02:59Z",
"published": "2026-03-04T19:02:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9mph-4f7v-fmvh"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/3d0337504349954237d09e4d957df5cb844d5e77"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw has agent avatar symlink traversal in gateway session metadata"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…