CVE-2026-62189

HIGH

OpenClaw < 2026.6.9 Symlink Following via Mirror Sync

Title source: cna
STIX 2.1

Description

OpenClaw versions before 2026.6.9 contain a symlink following vulnerability in the mirror sync feature that allows lower-trust callers to perform actions requiring stronger authorization. Attackers can exploit remote symlink parents to bypass policy checks and authorization boundaries when the feature is enabled and reachable.

References (2)

Core 2
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-m38g-vpwj-mpg9)
https://github.com/openclaw/openclaw/security/advisories/GHSA-m38g-vpwj-mpg9
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenClaw < 2026.6.9 Symlink Following via Mirror Sync
https://www.vulncheck.com/advisories/openclaw-symlink-following-via-mirror-sync

Scores

CVSS v3 7.1
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

Details

CWE
CWE-367 CWE-59
Status published
Products (2)
OpenClaw/OpenClaw < 2026.6.9
OpenClaw/OpenClaw 2026.6.9
Published Jul 13, 2026
Tracked Since Jul 14, 2026