CVE-2026-32060

HIGH

OpenClaw <2026.2.14 - Path Traversal

Title source: llm

Description

OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in apply_patch that allows attackers to write or delete files outside the configured workspace directory. When apply_patch is enabled without filesystem sandbox containment, attackers can exploit crafted paths including directory traversal sequences or absolute paths to escape workspace boundaries and modify arbitrary files.

References (3)

[Patch] https://github.com/openclaw/openclaw/commit/5544646a09c0121fca7d7093812dc2de8437c7f1

View Patch ZIP pw:eip

[Vendor Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-r5fq-947m-xm57

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-path-traversal-in-apply-patch-via-crafted-paths

Scores

CVSS v3 8.8

EPSS 0.0040

EPSS Percentile 61.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-22

Status published

Products (2)

npm/openclaw 0 - 2026.2.14npm

openclaw/openclaw < 2026.2.14

Published Mar 11, 2026

Tracked Since Mar 11, 2026