Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-27485

CVE-2026-27485: Openclaw Information Disclosure Flaw

CVE-2026-27485 is an information disclosure vulnerability in Openclaw that allows symlink-based file exposure during skill packaging. This post covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-27485 Overview

CVE-2026-27485 is a symlink attack vulnerability in OpenClaw, a personal AI assistant platform. The vulnerability exists in the skills/skill-creator/scripts/package_skill.py script, a local helper utility used by skill authors when packaging skills for distribution. In versions 2026.2.17 and below, this script followed symlinks while building .skill archives, potentially allowing the inclusion of arbitrary local files from the packaging machine into the generated archive.

Critical Impact

Attackers could craft malicious skill directories containing symlinks pointing to sensitive files outside the skill root, leading to unintentional disclosure of local files when authors package those skills.

Affected Products

  • OpenClaw versions 2026.2.17 and below
  • OpenClaw skills/skill-creator/scripts/package_skill.py packaging script
  • OpenClaw Node.js implementations

Discovery Timeline

  • 2026-02-21 - CVE CVE-2026-27485 published to NVD
  • 2026-02-23 - Last updated in NVD database

Technical Details for CVE-2026-27485

Vulnerability Analysis

This vulnerability is classified as CWE-61 (UNIX Symbolic Link Following), which occurs when software follows symbolic links during file operations without proper validation. The package_skill.py script uses Python's zipfile module to create .skill archives by recursively walking through a skill directory using skill_path.rglob("*"). Prior to the patch, the script did not verify whether files in the traversal were symbolic links, blindly including their resolved targets in the archive.

The exploitation scenario requires a local attacker to provide a crafted skill directory to an author, who then executes the packaging script on that malicious directory. When the script encounters symlinks, it follows them and includes the content of files from outside the intended skill directory boundary.

Root Cause

The root cause is the absence of symlink validation in the file enumeration and archival logic within package_skill.py. When using pathlib.Path.rglob() combined with zipfile.ZipFile.write(), the script would transparently resolve and include symlinked file contents without checking is_symlink() first. This classic symlink-following weakness allows path traversal beyond the skill directory root.

Attack Vector

The attack requires local access and social engineering to succeed. An attacker must:

  1. Create a malicious skill directory containing symbolic links pointing to sensitive files (e.g., ~/.ssh/id_rsa, /etc/passwd, or application configuration files)
  2. Convince a skill author to download or clone this crafted skill directory
  3. Wait for the author to execute package_skill.py on the malicious directory
  4. The resulting .skill archive will contain the attacker-specified sensitive files
  5. If the author distributes this archive, the sensitive files become exposed
python
         with zipfile.ZipFile(skill_filename, "w", zipfile.ZIP_DEFLATED) as zipf:
             # Walk through the skill directory
             for file_path in skill_path.rglob("*"):
+                # Security Check 1: Reject symlinks to prevent supply chain attacks
+                if file_path.is_symlink():
+                    print(f"[ERROR] Symlinks are not allowed in skills: {file_path}")
+                    print("   This is a security restriction to prevent including arbitrary files.")
+                    return None
+
                 if file_path.is_file():
                     # Calculate the relative path within the zip
                     arcname = file_path.relative_to(skill_path.parent)
+
+                    # Security Check 2: Validate arcname to prevent Zip Slip attacks
+                    # Ensure the path doesn't escape the skill directory using ".." or absolute paths
+                    if ".." in arcname.parts or arcname.is_absolute():
+                        print(f"[ERROR] Invalid path in skill (possible Zip Slip attack): {arcname}")
+                        print("   Paths with '..' or absolute paths are not allowed.")
+                        return None
+
                     zipf.write(file_path, arcname)
                     print(f"  Added: {arcname}")

Source: GitHub Commit Changes

Detection Methods for CVE-2026-27485

Indicators of Compromise

  • Presence of symbolic links within skill directories being packaged
  • Skill archives (.skill files) containing unexpected file paths or sensitive file content
  • Log entries showing package_skill.py execution on directories with symlinks

Detection Strategies

  • Implement file integrity monitoring on skill packaging directories to detect symlink creation
  • Audit generated .skill archives by inspecting their contents for unexpected files before distribution
  • Monitor execution of package_skill.py and log the directories being processed
  • Use static analysis tools to scan skill directories for symbolic links before packaging

Monitoring Recommendations

  • Enable verbose logging for skill packaging operations to capture file enumeration details
  • Set up alerts for skill archive generation that includes files outside expected skill directory paths
  • Monitor for unusual file access patterns during packaging script execution
  • Implement pre-commit hooks or CI/CD checks to reject skill directories containing symlinks

How to Mitigate CVE-2026-27485

Immediate Actions Required

  • Upgrade OpenClaw to version 2026.2.18 or later immediately
  • Audit any previously generated .skill archives for unintended file inclusions
  • Remove or quarantine any skill directories from untrusted sources
  • Review skill packaging workflows to ensure only trusted skill directories are processed

Patch Information

OpenClaw has addressed this vulnerability in version 2026.2.18, which adds explicit symlink detection and rejection in the packaging script. The fix implements two security checks: (1) rejecting symlinks to prevent supply chain attacks, and (2) validating archive names to prevent Zip Slip attacks using path traversal sequences.

For detailed patch information, see the GitHub Security Advisory GHSA-r6h2-5gqq-v5v6 and the GitHub Pull Request Discussion.

Workarounds

  • Manually inspect skill directories for symlinks before running package_skill.py using find /path/to/skill -type l
  • Wrap the packaging script with a pre-check that rejects directories containing symbolic links
  • Use containerized or sandboxed environments for skill packaging to limit potential file exposure
  • Implement access controls to restrict which files the packaging script can read
bash
# Configuration example
# Pre-check for symlinks before packaging
find /path/to/skill-directory -type l -print

# If any symlinks are found, do not proceed with packaging
# Alternatively, use a sandboxed environment:
docker run --rm -v /path/to/skill:/skill:ro openclaw/skill-packager package /skill

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne