CVE-2026-32020
LOW3.3EPSS 0.02%OpenClaw's Control UI Static File Handler Follows Symlinks and Allows Out-of-Root File Read
描述
### Summary The Control UI static file handler previously validated asset paths lexically and then served files with APIs that follow symbolic links. A symlink placed under the Control UI root could cause out-of-root file reads. ### Affected Packages / Versions - Package: `openclaw` (npm) - Latest published version observed: `2026.2.21-2` - Affected versions: `<=2026.2.21-2` - Planned fixed release version: `2026.2.22` ### Technical Details The vulnerable flow was in `src/gateway/control-ui.ts`, where `path.join(...)` + string-prefix checks were followed by file reads that resolved symlinks. This allowed directory-confinement bypasses when symlinks existed inside the Control UI root. The fix now enforces realpath containment and verifies file identity before serving Control UI assets and SPA fallback `index.html`. ### Impact - Vulnerability type: path traversal / external file exposure via symlink following. - Primary impact: confidentiality (out-of-root file read). - Severity guidance: low in supported trusted-operator deployments; can be higher in unsupported shared-writable setups. ### Fix Commit(s) - `7c500ff6236fa087ec1ec88696ca9f6881e90dc5` ### Release Process Note `patched_versions` is pre-set to the planned next release (`2026.2.22`). After npm release is available, publish the advisory. OpenClaw thanks @tdjackey for reporting.
受影響套件(1)
- npm/openclawfrom 0, < 2026.2.22
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.3 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |