OpenClaw Symlink Traversal Vulnerability in File Handling Methods Allowing Arbitrary File Access

A symlink traversal vulnerability has been identified in OpenClaw versions prior to 2026.2.25. This vulnerability exists in the 'agents.files.get' and 'agents.files.set' methods, allowing unauthorized reading and writing of files outside the designated agent workspace. Exploitation involves using symlinked allowlisted files to access arbitrary host files within the permissions of the gateway process. This could lead to code execution by overwriting certain files.

Impact

The vulnerability allows for unauthorized file access and manipulation, which could be leveraged to execute arbitrary code by overwriting specific files that trigger code execution.

Reproduction

The vulnerability can be reproduced by creating a symlinked file that points outside the agent workspace and is allowlisted. When the 'agents.files.get' or 'agents.files.set' methods are called, the gateway process will follow the symlink, allowing access to the file outside the workspace. This can be automated with a script that exploits the symlink traversal in the file handling methods.

Remediation

Users can update to OpenClaw version 2026.2.25 or later, where this vulnerability has been patched. The patch includes improvements to how the 'agents.files' methods handle file paths, blocking out-of-workspace symlink targets while allowing in-workspace symlinks. The update also adds regression tests to ensure the effectiveness of the patch.