CVE-2026-43570 Overview
CVE-2026-43570 is a symlink traversal vulnerability affecting OpenClaw versions 2026.3.22 through versions before 2026.4.5. The flaw resides in the remote marketplace repository path handling logic, where crafted symbolic links can be used to escape the expected repository root directory. An attacker can supply specially constructed symlink paths to access files outside the intended repository directory on the host system. The issue is tracked under [CWE-61: UNIX Symbolic Link (Symlink) Following].
Critical Impact
Successful exploitation enables unauthorized read access to files outside the marketplace repository root, leading to disclosure of sensitive host filesystem contents.
Affected Products
- OpenClaw openclaw versions 2026.3.22 and later
- OpenClaw openclaw versions before 2026.4.5
- OpenClaw distributions deployed via Node.js (cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*)
Discovery Timeline
- 2026-05-05 - CVE-2026-43570 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-43570
Vulnerability Analysis
The vulnerability stems from how OpenClaw resolves remote marketplace repository paths. The application invokes fs.realpath() on the derived rootDir before returning the resolved location. When the path contains attacker-controlled symbolic links, realpath follows them and resolves to a directory outside the intended marketplace root. Subsequent file operations then trust this resolved path, granting access to arbitrary locations on the host filesystem.
Because the marketplace repository is reachable over the network and accepts repository content from remote sources, an attacker can plant symlinks within a repository payload to redirect path resolution. The result is a sandbox escape from the marketplace root, exposing files belonging to the OpenClaw process user.
Root Cause
The root cause is the use of fs.realpath() to canonicalize rootDir in src/plugins/marketplace.ts. Resolving symlinks at this layer breaks the assumption that the returned path stays within the marketplace boundary. The fix discards the realpath call and returns the structurally derived path so symlinks no longer alter the trusted root.
Attack Vector
The attack is delivered over the network and requires user interaction, such as installing or browsing a remote marketplace entry. An attacker publishes or supplies a marketplace repository containing crafted symbolic links pointing to sensitive locations on the host. When OpenClaw resolves the repository path, it follows the symlink and exposes files outside the intended directory.
const rootDir = deriveMarketplaceRootFromManifestPath(resolved);
return {
ok: true,
- rootDir: await fs.realpath(rootDir),
+ rootDir,
manifestPath: resolved,
};
}
Source: GitHub commit 94b0062. The patch removes the fs.realpath() call so that symlinks within remote marketplace payloads no longer redirect the resolved root directory.
Detection Methods for CVE-2026-43570
Indicators of Compromise
- Symbolic link entries inside fetched marketplace repository payloads that point to absolute paths outside the repository root.
- OpenClaw process activity reading files in directories such as /etc, user home directories, or application secrets directories that are unrelated to marketplace operations.
- Marketplace manifests whose resolved rootDir differs from the directory containing the manifest file.
Detection Strategies
- Inspect downloaded marketplace archives for symlinks using tar -tvf or equivalent and flag any entries whose targets resolve outside the archive root.
- Audit OpenClaw logs for marketplace install or refresh operations originating from untrusted remote repositories.
- Compare installed OpenClaw version against the fixed release 2026.4.5 to identify exposed deployments.
Monitoring Recommendations
- Monitor file access by the OpenClaw Node.js process for reads outside its expected working directories.
- Alert on marketplace repository fetches from non-allowlisted sources.
- Track changes to src/plugins/marketplace.ts and related path-handling code in custom builds to ensure the patch is preserved.
How to Mitigate CVE-2026-43570
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.5 or later, which contains the fix for the symlink traversal flaw.
- Restrict marketplace usage to trusted, internally controlled repositories until the upgrade is complete.
- Review recently installed marketplace entries for suspicious symlinks and remove any unverified content.
Patch Information
The vendor fix is delivered through commits 94b0062 and b1dd3de, with details documented in the GitHub Security Advisory GHSA-cr8r-7g2h-6wr6 and the VulnCheck Advisory. The patch removes the fs.realpath() resolution on the marketplace root directory so symlinks no longer alter the trusted path.
Workarounds
- Disable remote marketplace functionality if upgrading is not immediately possible.
- Run OpenClaw under a least-privileged user account whose filesystem access is constrained to the marketplace working directory.
- Use containerization or chroot environments to limit the host filesystem reachable through symlink resolution.
# Verify and pin the patched OpenClaw version
npm install openclaw@2026.4.5
npm ls openclaw
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
