GHSA-36H3-7C54-J27R

Vulnerability from github – Published: 2026-03-02 22:18 – Updated: 2026-03-27 20:43
VLAI?
Summary
OpenClaw has browser trace/download path symlink escape in temp output handling
Details

Summary

Browser trace/download output path handling allowed symlink-root and symlink-parent escapes from the managed temp root.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Latest published npm version: 2026.2.24
  • Affected versions: <= 2026.2.24
  • Planned patched release: 2026.2.25

Impact

An attacker with relevant local foothold and ability to influence output paths could route writes outside the intended temp root via symlink traversal, leading to arbitrary file overwrite.

Fix Commit(s)

  • 496a76c03ba85e15ea715e5a583e498ae04d36e3

Release Process Note

patched_versions is pre-set to the release (2026.2.25) so once npm 2026.2.25 is published, the advisory is published.

OpenClaw thanks @tdjackey for reporting.

Severity ?
6.8 (Medium)
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.25"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32054"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-59"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-02T22:18:07Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nBrowser trace/download output path handling allowed symlink-root and symlink-parent escapes from the managed temp root.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.2.24`\n- Affected versions: `\u003c= 2026.2.24`\n- Planned patched release: `2026.2.25`\n\n### Impact\nAn attacker with relevant local foothold and ability to influence output paths could route writes outside the intended temp root via symlink traversal, leading to arbitrary file overwrite.\n\n### Fix Commit(s)\n- `496a76c03ba85e15ea715e5a583e498ae04d36e3`\n\n### Release Process Note\n`patched_versions` is pre-set to the release (`2026.2.25`) so once npm `2026.2.25` is published, the advisory is published.\n\nOpenClaw thanks @tdjackey for reporting.",
  "id": "GHSA-36h3-7c54-j27r",
  "modified": "2026-03-27T20:43:35Z",
  "published": "2026-03-02T22:18:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-36h3-7c54-j27r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32054"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/496a76c03ba85e15ea715e5a583e498ae04d36e3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-symlink-traversal-in-browser-trace-download-path-handling"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw has browser trace/download path symlink escape in temp output handling"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.