CVE-2026-32060

HIGH 8.8

OpenClaw < 2026.2.14 - Path Traversal in apply_patch via Crafted Paths

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

0th

OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in apply_patch that allows attackers to write or delete files outside the configured workspace directory. When apply_patch is enabled without filesystem sandbox containment, attackers can exploit crafted paths including directory traversal sequences or absolute paths to escape workspace boundaries and modify arbitrary files.

CWE	CWE-22
Vendor	openclaw
Product	openclaw
Published	Mar 11, 2026
Last Updated	Mar 11, 2026

Stay Ahead of the Next One

Get instant alerts for openclaw openclaw

Be the first to know when new high vulnerabilities affecting openclaw openclaw are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

openclaw / openclaw

2026.2.14

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/openclaw/openclaw/security/advisories/GHSA-r5fq-947m-xm57 github.com: https://github.com/openclaw/openclaw/commit/5544646a09c0121fca7d7093812dc2de8437c7f1 vulncheck.com: https://www.vulncheck.com/advisories/openclaw-path-traversal-in-apply-patch-via-crafted-paths

Credits

🔍 Peyton Kennedy (@p80n-sec)