CVE-2026-32055 Overview
CVE-2026-32055 is a path traversal vulnerability affecting OpenClaw, a Node.js-based application. The vulnerability exists in the workspace boundary validation mechanism, which improperly handles symlinks pointing to non-existent out-of-root targets. This flaw allows attackers to write files outside the intended workspace directory, potentially leading to arbitrary file creation on the system.
The vulnerability stems from improper resolution of path aliases during boundary checks. When a symlink within the workspace points to a non-existent target outside the workspace root, the boundary validation fails to properly resolve the canonical path, permitting the first write operation to escape the workspace sandbox and create files in arbitrary locations on the file system.
Critical Impact
Attackers with low-privilege access can bypass workspace boundaries to write arbitrary files outside the designated sandbox, potentially leading to code execution, configuration tampering, or system compromise.
Affected Products
- OpenClaw versions prior to 2026.2.26
- OpenClaw for Node.js (all platforms)
Discovery Timeline
- 2026-03-21 - CVE-2026-32055 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-32055
Vulnerability Analysis
This path traversal vulnerability (CWE-22) exploits a weakness in how OpenClaw validates file paths within workspace boundaries. The core issue lies in the boundary-path.ts module, which performs lexical path validation to ensure file operations remain within the designated workspace sandbox.
The vulnerable code path allows an attacker to create a symlink inside the workspace that points to a non-existent target outside the workspace root. When the boundary check encounters this scenario, it fails to properly resolve the canonical path of the non-existent target. This oversight permits the subsequent write operation to follow the symlink and create files in arbitrary locations outside the intended boundary.
The attack requires network access and low-privilege authentication, but no user interaction is needed. The integrity impact is high since attackers can write files to arbitrary locations, while confidentiality and availability impacts are limited.
Root Cause
The root cause is improper canonical path resolution in the assertNoPathAliasEscape() function within boundary-path.ts. The original implementation performed a lexical check to determine if a path was inside the workspace root, but failed to handle the case where a symlink's target doesn't exist yet.
Specifically, the vulnerable code relied on path.resolve() for the root path without properly canonicalizing paths that exist outside the lexical boundary but resolve through non-existent symlink targets. The fix introduces resolvePathViaExistingAncestor() to properly resolve the canonical path of out-of-boundary paths before performing the security check.
Attack Vector
The attack vector is network-based and requires:
- Authenticated access to the OpenClaw workspace (low privilege)
- Ability to create symlinks within the workspace
- Creation of a symlink pointing to a non-existent path outside the workspace root
An attacker exploits this by creating a symlink inside the workspace that points to a target path outside the workspace boundary that doesn't yet exist. When performing a write operation through this symlink, the boundary check fails to recognize the escape because the target doesn't exist for canonical resolution. The write operation then creates the file at the attacker-controlled location outside the sandbox.
The security patches address this by introducing additional canonical path resolution for paths that fall outside the lexical boundary:
// Before (vulnerable):
const lexicalInside = isPathInside(rootPath, absolutePath);
if (!params.skipLexicalRootCheck && !lexicalInside) {
throw pathEscapeError({
boundaryLabel: params.boundaryLabel,
rootPath,
// After (patched):
const lexicalInside = isPathInside(rootPath, absolutePath);
const outsideLexicalCanonicalPath = lexicalInside
? undefined
: await resolvePathViaExistingAncestor(absolutePath);
const canonicalOutsideLexicalPath = outsideLexicalCanonicalPath ?? absolutePath;
if (
!params.skipLexicalRootCheck &&
!lexicalInside &&
!isPathInside(rootCanonicalPath, canonicalOutsideLexicalPath)
) {
throw pathEscapeError({
boundaryLabel: params.boundaryLabel,
rootPath,
Source: GitHub Commit 1aef45bc
Detection Methods for CVE-2026-32055
Indicators of Compromise
- Unexpected symlinks within OpenClaw workspace directories pointing to paths outside the workspace root
- File creation events in directories outside designated workspace boundaries
- Anomalous file system modifications in system directories or configuration paths
- Log entries showing boundary validation warnings or errors followed by successful file operations
Detection Strategies
- Monitor file system events for symlink creation within OpenClaw workspace directories, especially those targeting paths outside the workspace
- Implement file integrity monitoring (FIM) on critical system directories to detect unauthorized file creation
- Review OpenClaw application logs for boundary check failures or path resolution anomalies
- Deploy runtime application self-protection (RASP) to detect path traversal attempts in Node.js applications
Monitoring Recommendations
- Enable verbose logging in OpenClaw to capture detailed path resolution and boundary validation events
- Set up alerts for file creation events in directories outside workspace boundaries by OpenClaw processes
- Monitor for symlinks with targets containing ../ sequences or absolute paths pointing outside the workspace
- Implement endpoint detection rules for suspicious Node.js process file operations outside expected directories
How to Mitigate CVE-2026-32055
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.26 or later immediately
- Audit existing workspaces for suspicious symlinks pointing outside workspace boundaries
- Review file system permissions to ensure OpenClaw processes have minimal required privileges
- Implement additional file system sandboxing (e.g., containers, chroot) to limit potential impact
Patch Information
OpenClaw has released security patches addressing this vulnerability in version 2026.2.26. The fixes are available in the following commits:
- Commit 1aef45bc - Hardens boundary-path canonical alias handling
- Commit 46eba86b - Hardens workspace boundary path resolution
For additional details, refer to the GitHub Security Advisory GHSA-mgrq-9f93-wpp5.
Workarounds
- Disable symlink following within workspace operations if your use case permits
- Implement additional file system sandboxing using containers or OS-level restrictions to limit write access outside designated directories
- Use file system monitoring to detect and alert on symlink creation within workspaces
- Apply strict file system permissions to prevent OpenClaw processes from writing to sensitive system locations
# Example: Restrict OpenClaw process file system access using a systemd service unit
[Service]
ReadWritePaths=/var/lib/openclaw/workspace
ReadOnlyPaths=/etc
ProtectSystem=strict
ProtectHome=true
NoNewPrivileges=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
