CVE-2026-31990

MEDIUM

OpenClaw < 2026.3.2 - Symlink Traversal in stageSandboxMedia Destination

Title source: cna

Description

OpenClaw versions prior to 2026.3.2 contain a vulnerability in the stageSandboxMedia function in which it fails to validate destination symlinks during media staging, allowing writes to follow symlinks outside the sandbox workspace. Attackers can exploit this by placing symlinks in the media/inbound directory to overwrite arbitrary files on the host system outside sandbox boundaries.

References (3)

[Third Party Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-cfvj-7rx7-fc7c

[Patch] https://github.com/openclaw/openclaw/commit/17ede52a4be3034f6ec4b883ac6b81ad0101558a

View Patch ZIP pw:eip

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-symlink-traversal-in-stagesandboxmedia-destination

Scores

CVSS v3 6.1

EPSS 0.0003

EPSS Percentile 9.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Details

CWE

CWE-59

Status published

Products (3)

npm/openclaw 0 - 2026.3.2npm

OpenClaw/OpenClaw < 2026.3.2

openclaw/openclaw < 2026.3.2

Published Mar 19, 2026

Tracked Since Mar 19, 2026