OpenClaw Gateway Agent File Symlink Traversal Vulnerability
The OpenClaw gateway agents.files.get and agents.files.set methods allowed symlink traversal, enabling arbitrary file read/write outside the workspace. This PoC highlights critical risks for defenders.
Affected
The vulnerability arises from improper handling of symlinked files within the agents.files methods. Attackers could exploit this to read or write arbitrary files outside the intended workspace, leveraging gateway process permissions for potential escalation.
This PoC demonstrates that allowlisted files can be used as symlinks to escape the workspace, proving the feasibility of arbitrary file operations. The reliability is high due to the deterministic nature of path resolution in filesystems.
{'monitor_file_access': 'Monitor gateway process file accesses for operations outside designated workspaces.', 'filesystem_integrity': 'Implement checks to ensure files accessed by the gateway remain within allowed boundaries.'}
{'update_version': 'Upgrade to OpenClaw >= 2026.2.25 to utilize patched methods that enforce path containment.', 'file_access_controls': 'Enforce strict file access controls and monitor for unauthorized writes/read operations.'}
{'likelihood': 'high', 'threat_interest': 'High interest from attackers seeking to escalate privileges or gain persistence.'}
Sources