CVE-2026-27523

EPSS 0.09%

OpenClaw's sandbox bind validation could bypass allowed-root and blocked-path checks via symlink-parent missing-leaf paths

發布日:2026/3/3修改日:2026/3/18
也稱為:GHSA-m8v2-6wwh-r4gc

描述

### Summary In `openclaw` up to and including **2026.2.23** (latest npm release as of **February 24, 2026**), sandbox bind-source validation could be bypassed when a bind source used a symlinked parent plus a non-existent leaf path. ### Affected Packages / Versions - Package: `openclaw` (npm) - Affected: `<= 2026.2.23` - Patched: `>= 2026.2.24` (planned next release) ### Root Cause `validateBindMounts` previously relied on full-path realpath only when the full source path already existed. For missing-leaf paths, parent symlink traversal was not fully canonicalized before allowed-root and blocked-path checks. ### Security Impact A source path that looked inside an allowed root could resolve outside that root (including blocked runtime paths) once the missing leaf was created, weakening sandbox bind-source boundary enforcement. ### Fix The validation path now canonicalizes through the nearest existing ancestor, then always re-checks the canonical path against both: - allowed source roots - blocked runtime paths ### Verification - `pnpm check` - `pnpm exec vitest run --config vitest.gateway.config.ts` - `pnpm test:fast` - Added regression tests for symlink-parent + missing-leaf bypass patterns. ### Fix Commit(s) - `b5787e4abba0dcc6baf09051099f6773c1679ec1` ### Release Process Note `patched_versions` is pre-set to the planned next release (`2026.2.24`) so after npm publish the advisory can be published without further field edits. OpenClaw thanks @tdjackey for reporting. ### Publication Update (2026-02-25) `[email protected]` is published on npm and contains the fix commit(s) listed above. This advisory now marks `>= 2026.2.24` as patched.

受影響套件(1)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

參考連結(5)