CVE-2026-32024

MEDIUM 5.5

OpenClaw < 2026.2.22 - Symlink Traversal in Avatar Handling

CVSS Score

5.5

EPSS Score

0.0%

EPSS Percentile

5th

OpenClaw versions prior to 2026.2.22 contain a symlink traversal vulnerability in avatar handling that allows attackers to read arbitrary files outside the configured workspace boundary. Remote attackers can exploit this by requesting avatar resources through gateway surfaces to disclose local files accessible to the OpenClaw process.

CWE	CWE-59
Vendor	openclaw
Product	openclaw
Published	Mar 19, 2026
Last Updated	Mar 20, 2026

Stay Ahead of the Next One

Get instant alerts for openclaw openclaw

Be the first to know when new medium vulnerabilities affecting openclaw openclaw are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

OpenClaw / OpenClaw

0 < 2026.2.22

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/openclaw/openclaw/security/advisories/GHSA-rx3g-mvc3-qfjf github.com: https://github.com/openclaw/openclaw/commit/3d0337504349954237d09e4d957df5cb844d5e77 github.com: https://github.com/openclaw/openclaw/commit/6970c2c2db3ee069ef0fff0ade5cfbdd0134f9d2 vulncheck.com: https://www.vulncheck.com/advisories/openclaw-symlink-traversal-in-avatar-handling

Credits

🔍 tdjackey