CVE-2026-32060 Overview
OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability (CWE-22) in the apply_patch function that allows attackers to write or delete files outside the configured workspace directory. When apply_patch is enabled without filesystem sandbox containment, attackers can exploit crafted paths including directory traversal sequences (such as ../) or absolute paths to escape workspace boundaries and modify arbitrary files on the target system.
Critical Impact
This path traversal vulnerability enables unauthorized file system access, allowing attackers to write malicious files or delete critical system files outside the intended workspace, potentially leading to remote code execution, data corruption, or complete system compromise.
Affected Products
- OpenClaw versions prior to 2026.2.14
- Systems running apply_patch without filesystem sandbox containment
- Deployments where workspace boundaries are not enforced
Discovery Timeline
- 2026-03-11 - CVE CVE-2026-32060 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-32060
Vulnerability Analysis
This path traversal vulnerability exists in the apply_patch functionality of OpenClaw. The core issue stems from insufficient validation of file paths provided to the patch application mechanism. When processing patch requests, the vulnerable code fails to properly sanitize input paths, allowing attackers to use directory traversal sequences like ../ or absolute paths to escape the designated workspace directory.
The vulnerability is exploitable over the network with low complexity, requiring only basic user privileges. When successfully exploited, attackers gain the ability to read, write, or delete files anywhere on the filesystem accessible to the OpenClaw process, potentially compromising system integrity and confidentiality.
Root Cause
The root cause of CVE-2026-32060 is the absence of path canonicalization and boundary validation in the apply_patch function located in src/agents/apply-patch.ts. Prior to the security fix, the code did not enforce that resolved file paths remained within the configured workspace directory, allowing crafted paths to traverse outside the intended boundaries.
Attack Vector
The attack vector is network-based, where an attacker can submit specially crafted patch requests containing malicious path components. By including sequences such as ../../../etc/passwd or absolute paths like /etc/shadow, an attacker can instruct the vulnerable apply_patch function to operate on files outside the workspace. This could be leveraged to:
- Overwrite critical configuration files
- Plant malicious executables in system directories
- Delete important system or application files
- Exfiltrate sensitive data by writing to attacker-accessible locations
import type { AgentTool } from "@mariozechner/pi-agent-core";
import { Type } from "@sinclair/typebox";
import fs from "node:fs/promises";
-import os from "node:os";
import path from "node:path";
import type { SandboxFsBridge } from "./sandbox/fs-bridge.js";
import { applyUpdateHunk } from "./apply-patch-update.js";
+import { assertSandboxPath } from "./sandbox-paths.js";
const BEGIN_PATCH_MARKER = "*** Begin Patch";
const END_PATCH_MARKER = "*** End Patch";
Source: GitHub Commit Details
The patch introduces the assertSandboxPath function from ./sandbox-paths.js to validate that all paths remain within the workspace boundary before file operations are performed.
Detection Methods for CVE-2026-32060
Indicators of Compromise
- Unusual file system access patterns originating from OpenClaw processes outside the workspace directory
- Log entries showing patch operations targeting paths with ../ sequences or absolute paths
- Unexpected modification timestamps on system files or files outside workspace directories
- Evidence of deleted or modified files in sensitive system directories
Detection Strategies
- Monitor OpenClaw process file operations for attempts to access paths outside configured workspace directories
- Implement file integrity monitoring (FIM) on critical system files and directories
- Analyze application logs for patch requests containing directory traversal patterns such as ../, ..\\, or absolute paths
- Deploy runtime application self-protection (RASP) to detect path traversal attempts
Monitoring Recommendations
- Configure alerting for any apply_patch operations targeting paths outside the workspace boundary
- Enable detailed logging of all file system operations performed by OpenClaw components
- Implement anomaly detection for unusual file access patterns from the application
- Regularly audit workspace configurations to ensure sandbox containment is properly enabled
How to Mitigate CVE-2026-32060
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.14 or later immediately
- Enable filesystem sandbox containment if not already configured
- Review and audit recent file operations performed by OpenClaw for signs of exploitation
- Implement network segmentation to limit exposure of vulnerable OpenClaw instances
Patch Information
The vulnerability is addressed in OpenClaw version 2026.2.14 through the introduction of the assertSandboxPath function that validates all file paths before operations are performed. The security fix ensures paths are canonicalized and verified to remain within the workspace boundary. For detailed patch information, see the GitHub Security Advisory and the GitHub Commit Details.
Workarounds
- Disable the apply_patch functionality if not required for operations until patching is possible
- Enable filesystem sandbox containment to restrict file operations to the workspace directory
- Implement external input validation at the network layer to filter requests containing path traversal sequences
- Run OpenClaw with minimal file system permissions to limit the impact of successful exploitation
# Configuration example
# Ensure filesystem sandbox is enabled in OpenClaw configuration
# Set workspace_sandbox_enabled to true to enforce path boundaries
export OPENCLAW_SANDBOX_ENABLED=true
export OPENCLAW_WORKSPACE_ROOT=/var/openclaw/workspace
# Restrict file permissions for the OpenClaw process
chmod 700 /var/openclaw/workspace
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
