CVE-2026-32024
OpenClaw's avatar symlink traversal can expose out-of-workspace local files
Description
### Summary OpenClaw avatar handling allowed a symlink traversal path that could expose local files outside an agent workspace through gateway avatar surfaces. ### Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.2.21`, plus prereleases `2026.2.21-1` and `2026.2.21-2` - Latest published version at triage time (2026-02-22): `2026.2.21-2` (affected) - Planned patched version (pre-set for release workflow): `2026.2.22` ### Details In vulnerable builds, local avatar resolution could follow symlinks and return file bytes from outside the configured workspace boundary. The issue was hardened in two paths: 1. Gateway avatar metadata resolution now enforces canonical containment, `O_NOFOLLOW`, and fd/file-identity checks. 2. Control UI avatar serving now rejects symlink paths and enforces fd/file-identity and size checks before reads. ### Fix Commit(s) - `3d0337504349954237d09e4d957df5cb844d5e77` - `6970c2c2db3ee069ef0fff0ade5cfbdd0134f9d2` ### Release Process Note `patched_versions` is pre-set to `>= 2026.2.22` so after npm release, the remaining action is to publish this advisory. ### Impact Confidentiality impact only: local files readable by the OpenClaw process could be disclosed via avatar response surfaces. OpenClaw thanks @tdjackey for reporting.
How to fix CVE-2026-32024
To remediate CVE-2026-32024, upgrade the affected package to a fixed version below.
- —upgrade to 2026.2.22 or later
Is CVE-2026-32024 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2026.2.22