OpenClaw Symlink Traversal Vulnerability in Identity Metadata Handling Allows Remote Code Execution

A symlink traversal vulnerability has been identified in OpenClaw versions through 2026.2.22. The issue resides in the 'agents.create' and 'agents.update' handlers, which utilize 'fs.appendFile' on 'IDENTITY.md' without proper symlink containment checks. This vulnerability allows attackers with workspace access to create symlinks that append controlled content to arbitrary files, potentially leading to remote code execution through crontab injection or unauthorized access via SSH key manipulation.

Impact

Exploitation of this vulnerability allows for the injection of attacker-controlled content into arbitrary files. If this content is directed to a user's crontab, it could result in remote code execution. Similarly, appending data to SSH authorization files could grant unauthorized access via SSH.

Reproduction

To reproduce this vulnerability, first plant a symlink in the agent workspace that points to a sensitive file, such as '/etc/crontab'. Then, call the 'agents.create' or 'agents.update' API endpoint. The 'fs.appendFile' function will follow the symlink and write to the targeted file, injecting the agent identity metadata, which can include arbitrary strings, emojis, and avatar information.