CVE-2026-27545
MEDIUMOpenClaw < 2026.2.26 - Approval Bypass via Parent Symlink Current Working Directory Rebind
Title source: cnaDescription
OpenClaw versions prior to 2026.2.26 contain an approval bypass vulnerability in system.run execution that allows attackers to execute commands from unintended filesystem locations by rebinding writable parent symlinks in the current working directory after approval. An attacker can modify mutable parent symlink path components between approval and execution time to redirect command execution to a different location while preserving the visible working directory string.
References (7)
Core 7
Core References
Third Party Advisory third-party-advisory
GitHub Security Advisory (GHSA-f7ww-2725-qvw2)
https://github.com/openclaw/openclaw/security/advisories/GHSA-f7ww-2725-qvw2
Patch patch
Patch Commit #1
https://github.com/openclaw/openclaw/commit/78a7ff2d50fb3bcef351571cb5a0f21430a340c1
Patch patch
Patch Commit #2
https://github.com/openclaw/openclaw/commit/d82c042b09727a6148f3ca651b254c4a677aff26
Patch patch
Patch Commit #3
https://github.com/openclaw/openclaw/commit/d06632ba45a8482192792c55d5ff0b2e21abb0a7
Patch patch
Patch Commit #4
https://github.com/openclaw/openclaw/commit/4e690e09c746408b5e27617a20cb3fdc5190dbda
Patch patch
Patch Commit #5
https://github.com/openclaw/openclaw/commit/4b4718c8dfce2e2c48404aa5088af7c013bed60b
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenClaw < 2026.2.26 - Approval Bypass via Parent Symlink Current Working Directory Rebind
https://www.vulncheck.com/advisories/openclaw-approval-bypass-via-parent-symlink-current-working-directory-rebind
Scores
CVSS v3
6.1
EPSS
0.0009
EPSS Percentile
0.8%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-367
Status
published
Products (3)
npm/openclaw
0 - 2026.2.26npm
OpenClaw/OpenClaw
< 2026.2.26
openclaw/openclaw
< 2026.2.26
Published
Mar 18, 2026
Tracked Since
Mar 18, 2026