GHSA-R6H2-5GQQ-V5V6
Vulnerability from github – Published: 2026-02-20 21:05 – Updated: 2026-02-23 22:29
VLAI?
Summary
OpenClaw: Reject symlinks in local skill packaging script
Details
Vulnerability
skills/skill-creator/scripts/package_skill.py (a local helper script used when authors package skills) previously followed symlinks while building .skill archives.
If an author runs this script on a crafted local skill directory containing symlinks to files outside the skill root, the resulting archive can include unintended file contents.
Severity and Exposure
- Severity: Low
- Execution context: local/manual workflow only (skill author packaging step)
- No remote trigger: this is not reachable via normal OpenClaw gateway/chat runtime paths
- No extraction Zip Slip in this finding: this issue is limited to packaging-time symlink following
Impact
- Potential unintentional disclosure of local files from the packaging machine into a generated
.skillartifact. - Requires local execution of the packaging script on attacker-controlled skill contents.
Affected Components
skills/skill-creator/scripts/package_skill.py
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published version during triage:
2026.2.17 - Vulnerable version range:
<= 2026.2.17 - Planned patched version (next release):
2026.2.18
Remediation
- Reject symlinks during skill packaging.
- Add regression tests for symlink file and symlink directory cases.
- Update packaging guidance to document the symlink restriction.
Fix Commit(s)
c275932aa4230fb7a8212fe1b9d2a18424874b3fee1d6427b544ccadd73e02b1630ea5c29ba9a9f0
Related PR
- https://github.com/openclaw/openclaw/pull/20796
Release Process Note
patched_versions is pre-set to the planned next release (2026.2.18). Once npm openclaw@2026.2.18 is published, this advisory is ready to publish without additional edits.
Thanks @aether-ai-agent for reporting.
Severity ?
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.2.18"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.19"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27485"
],
"database_specific": {
"cwe_ids": [
"CWE-61"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-20T21:05:45Z",
"nvd_published_at": "2026-02-21T10:16:12Z",
"severity": "MODERATE"
},
"details": "## Vulnerability\n\n`skills/skill-creator/scripts/package_skill.py` (a local helper script used when authors package skills) previously followed symlinks while building `.skill` archives.\n\nIf an author runs this script on a crafted local skill directory containing symlinks to files outside the skill root, the resulting archive can include unintended file contents.\n\n## Severity and Exposure\n\n- **Severity: Low**\n- **Execution context:** local/manual workflow only (skill author packaging step)\n- **No remote trigger:** this is not reachable via normal OpenClaw gateway/chat runtime paths\n- **No extraction Zip Slip in this finding:** this issue is limited to packaging-time symlink following\n\n## Impact\n\n- Potential unintentional disclosure of local files from the packaging machine into a generated `.skill` artifact.\n- Requires local execution of the packaging script on attacker-controlled skill contents.\n\n## Affected Components\n\n- `skills/skill-creator/scripts/package_skill.py`\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Latest published version during triage: `2026.2.17`\n- Vulnerable version range: `\u003c= 2026.2.17`\n- Planned patched version (next release): `2026.2.18`\n\n## Remediation\n\n- Reject symlinks during skill packaging.\n- Add regression tests for symlink file and symlink directory cases.\n- Update packaging guidance to document the symlink restriction.\n\n## Fix Commit(s)\n\n- `c275932aa4230fb7a8212fe1b9d2a18424874b3f`\n- `ee1d6427b544ccadd73e02b1630ea5c29ba9a9f0`\n\n## Related PR\n\n- https://github.com/openclaw/openclaw/pull/20796\n\n## Release Process Note\n\n`patched_versions` is pre-set to the planned next release (`2026.2.18`). Once npm `openclaw@2026.2.18` is published, this advisory is ready to publish without additional edits.\n\nThanks @aether-ai-agent for reporting.",
"id": "GHSA-r6h2-5gqq-v5v6",
"modified": "2026-02-23T22:29:30Z",
"published": "2026-02-20T21:05:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-r6h2-5gqq-v5v6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27485"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/pull/20796"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/c275932aa4230fb7a8212fe1b9d2a18424874b3f"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/ee1d6427b544ccadd73e02b1630ea5c29ba9a9f0"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.19"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Reject symlinks in local skill packaging script"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…