GHSA-FV94-QVG8-XQPW: GHSA-fv94-qvg8-xqpw: OpenClaw SSH Sandbox Symlink Escape and Arbitrary File Access

GHSA-fv94-qvg8-xqpw: OpenClaw SSH Sandbox Symlink Escape and Arbitrary File Access

Vulnerability ID: GHSA-FV94-QVG8-XQPW
CVSS Score: 8.8
Published: 2026-04-02

OpenClaw versions 2026.3.28 and earlier contain a critical symbolic link handli…


This content originally appeared on DEV Community and was authored by CVE Reports

GHSA-fv94-qvg8-xqpw: OpenClaw SSH Sandbox Symlink Escape and Arbitrary File Access

Vulnerability ID: GHSA-FV94-QVG8-XQPW
CVSS Score: 8.8
Published: 2026-04-02

OpenClaw versions 2026.3.28 and earlier contain a critical symbolic link handling vulnerability within the SSH sandbox synchronization process. The framework fails to validate symbolic links before executing file uploads via the uploadDirectoryToSshTarget function. This flaw allows an attacker interacting with the AI agent to traverse directory boundaries, resulting in arbitrary file reads from the local system or arbitrary file writes to the remote sandbox host.

TL;DR

A symlink validation failure in OpenClaw allows an AI agent to read arbitrary local files or write to arbitrary remote files during SSH sandbox synchronization, leading to sandbox escape.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-61, CWE-59
  • Attack Vector: Network / AI Prompt Injection
  • CVSS v3.1 Score: 8.8 (High)
  • Impact: Arbitrary File Read, Arbitrary File Write, Sandbox Escape
  • Exploit Status: Proof of Concept (Academic)
  • Component: uploadDirectoryToSshTarget

Affected Systems

  • OpenClaw framework <= 2026.3.28
  • Node.js environments running openclaw npm package
  • Remote SSH sandbox hosts connected to vulnerable OpenClaw instances
  • openclaw: <= 2026.3.28 (Fixed in: 2026.3.31)

Code Analysis

Commit: 3d5af14

Fix: Prevent symbolic links from escaping the SSH sandbox upload directory.

Added assertSafeUploadSymlinks function using fs.readdir withFileTypes: true to validate symlinks using resolveBoundaryPath.

Mitigation Strategies

  • Upgrade the openclaw npm package to version 2026.3.31 or later.
  • Enable Human-in-the-Loop (HITL) mode to intercept and review autonomous agent file operations.
  • Enforce strict least-privilege permissions for the SSH user account executing the sandbox environment.
  • Implement filesystem monitoring on local agent workspaces to detect anomalous symbolic link creation.

Remediation Steps:

  1. Identify all projects utilizing the 'openclaw' npm package within your environment.
  2. Modify package.json files to require 'openclaw' at version '>=2026.3.31'.
  3. Execute 'npm update openclaw' or equivalent package manager commands to retrieve the patched version.
  4. Rebuild and redeploy applications utilizing the framework.
  5. Audit sandbox execution environments to verify SSH users lack permissions to modify configuration files outside the designated sandbox directory.

References

Read the full report for GHSA-FV94-QVG8-XQPW on our website for more details including interactive diagrams and full exploit analysis.


This content originally appeared on DEV Community and was authored by CVE Reports


Print Share Comment Cite Upload Translate Updates
APA

CVE Reports | Sciencx (2026-04-02T22:40:06+00:00) GHSA-FV94-QVG8-XQPW: GHSA-fv94-qvg8-xqpw: OpenClaw SSH Sandbox Symlink Escape and Arbitrary File Access. Retrieved from https://www.scien.cx/2026/04/02/ghsa-fv94-qvg8-xqpw-ghsa-fv94-qvg8-xqpw-openclaw-ssh-sandbox-symlink-escape-and-arbitrary-file-access/

MLA
" » GHSA-FV94-QVG8-XQPW: GHSA-fv94-qvg8-xqpw: OpenClaw SSH Sandbox Symlink Escape and Arbitrary File Access." CVE Reports | Sciencx - Thursday April 2, 2026, https://www.scien.cx/2026/04/02/ghsa-fv94-qvg8-xqpw-ghsa-fv94-qvg8-xqpw-openclaw-ssh-sandbox-symlink-escape-and-arbitrary-file-access/
HARVARD
CVE Reports | Sciencx Thursday April 2, 2026 » GHSA-FV94-QVG8-XQPW: GHSA-fv94-qvg8-xqpw: OpenClaw SSH Sandbox Symlink Escape and Arbitrary File Access., viewed ,<https://www.scien.cx/2026/04/02/ghsa-fv94-qvg8-xqpw-ghsa-fv94-qvg8-xqpw-openclaw-ssh-sandbox-symlink-escape-and-arbitrary-file-access/>
VANCOUVER
CVE Reports | Sciencx - » GHSA-FV94-QVG8-XQPW: GHSA-fv94-qvg8-xqpw: OpenClaw SSH Sandbox Symlink Escape and Arbitrary File Access. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2026/04/02/ghsa-fv94-qvg8-xqpw-ghsa-fv94-qvg8-xqpw-openclaw-ssh-sandbox-symlink-escape-and-arbitrary-file-access/
CHICAGO
" » GHSA-FV94-QVG8-XQPW: GHSA-fv94-qvg8-xqpw: OpenClaw SSH Sandbox Symlink Escape and Arbitrary File Access." CVE Reports | Sciencx - Accessed . https://www.scien.cx/2026/04/02/ghsa-fv94-qvg8-xqpw-ghsa-fv94-qvg8-xqpw-openclaw-ssh-sandbox-symlink-escape-and-arbitrary-file-access/
IEEE
" » GHSA-FV94-QVG8-XQPW: GHSA-fv94-qvg8-xqpw: OpenClaw SSH Sandbox Symlink Escape and Arbitrary File Access." CVE Reports | Sciencx [Online]. Available: https://www.scien.cx/2026/04/02/ghsa-fv94-qvg8-xqpw-ghsa-fv94-qvg8-xqpw-openclaw-ssh-sandbox-symlink-escape-and-arbitrary-file-access/. [Accessed: ]
rf:citation
» GHSA-FV94-QVG8-XQPW: GHSA-fv94-qvg8-xqpw: OpenClaw SSH Sandbox Symlink Escape and Arbitrary File Access | CVE Reports | Sciencx | https://www.scien.cx/2026/04/02/ghsa-fv94-qvg8-xqpw-ghsa-fv94-qvg8-xqpw-openclaw-ssh-sandbox-symlink-escape-and-arbitrary-file-access/ |

Please log in to upload a file.




There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.