OpenClaw Symlink Traversal Vulnerability in Avatar Handling
Vulnerability
A symlink traversal vulnerability has been identified in OpenClaw versions prior to 2026.2.22. This vulnerability allows remote attackers to read arbitrary files outside the designated workspace boundary by exploiting avatar handling through gateway surfaces. The issue arises because the avatar resolution process can follow symlinks and access local files available to the OpenClaw process, potentially leading to unauthorized disclosure of sensitive information.
Impact
Exploitation of this vulnerability could result in the unauthorized disclosure of local files accessible to the OpenClaw process, bypassing workspace boundaries and exposing sensitive information.
Reproduction
To reproduce this vulnerability, create a symbolic link in the avatar workspace that points to a file outside the workspace boundary. Then, upload this linked file as an avatar. When the avatar is requested through the gateway, the file outside the workspace will be read and returned, demonstrating the symlink traversal.
Remediation
Users can update to OpenClaw version 2026.2.22 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.