OpenClaw contains a symlink traversal vulnerability

GHSA-35mw-5vvr-vrxc · CVE-2026-43570

Published May 5, 2026 · Modified May 8, 2026

Description

OpenClaw versions 2026.3.22 before 2026.4.5 contain a symlink traversal vulnerability in remote marketplace repository path handling that allows attackers to escape the expected repository root. Attackers can exploit this by providing crafted symlink paths to access files outside the intended repository directory.

References

WEB https://github.com/openclaw/openclaw/security/advisories/GHSA-cr8r-7g2h-6wr6
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-43570
WEB https://github.com/openclaw/openclaw/commit/94b0062e90467e1582b47cc971f308457c537f3a
WEB https://github.com/openclaw/openclaw/commit/b1dd3ded3589f6fa60ab85b3930a82d538edaeae
PACKAGE https://github.com/openclaw/openclaw
WEB https://www.vulncheck.com/advisories/openclaw-symlink-traversal-in-remote-marketplace-repository-path-handling

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes