MEDIUM 6.5

GHSA-35mw-5vvr-vrxc

OpenClaw contains a symlink traversal vulnerability

Details

OpenClaw versions 2026.3.22 before 2026.4.5 contain a symlink traversal vulnerability in remote marketplace repository path handling that allows attackers to escape the expected repository root. Attackers can exploit this by providing crafted symlink paths to access files outside the intended repository directory.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / openclaw

Introduced in: 2026.3.22 Fixed in: 2026.4.5

Fix npm install openclaw@2026.4.5

References

https://github.com/openclaw/openclaw/security/advisories/GHSA-cr8r-7g2h-6wr6 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2026-43570 [ADVISORY]
https://github.com/openclaw/openclaw/commit/94b0062e90467e1582b47cc971f308457c537f3a [WEB]
https://github.com/openclaw/openclaw/commit/b1dd3ded3589f6fa60ab85b3930a82d538edaeae [WEB]
https://github.com/openclaw/openclaw [PACKAGE]
https://www.vulncheck.com/advisories/openclaw-symlink-traversal-in-remote-marketplace-repository-path-handling [WEB]