OpenClaw versions prior to 2026.2.24 contain a path traversal vulnerability where @-prefixed absolute paths bypass workspace-only…
VulnCheck·CWE-22·Published 2026-03-03
OpenClaw versions prior to 2026.2.24 contain a path traversal vulnerability where @-prefixed absolute paths bypass workspace-only file-system boundary validation due to canonicalization mismatch. Attackers can exploit this by crafting @-prefixed paths like @/etc/passwd to read files outside the intended workspace boundary when tools.fs.workspaceOnly is enabled.
OpenClaw versions prior to 2026.2.24 contain a path traversal vulnerability where @-prefixed absolute paths bypass workspace-only file-system boundary validation due to canonicalization mismatch. Attackers can exploit this by crafting @-prefixed paths like @/etc/passwd to read files outside the intended workspace boundary when tools.fs.workspaceOnly is enabled.
A workspace-only file-system guard mismatch allowed `@`-prefixed absolute paths to bypass boundary validation in some tool path checks. ### Impact When `tools.fs.workspaceOnly=true`, certain `@`-prefixed absolute paths (for example `@/etc/passwd`) could be validated before canonicalization while runtime path handling normalized the prefix differently. In affected code paths this could permit reads outside the intended workspace boundary. Per `SECURITY.md`, OpenClaw is primarily a personal-assistant runtime with trusted-user assumptions, and this path is gated behind non-default sandbox/tooling configuration. That reduces practical exposure, but the bypass is still a security bug and is fixed. ### Affected Packages / Versions - Package: `openclaw` (npm) - Latest published at triage time: `2026.2.23` - Affected versions: `<= 2026.2.23` - Patched versions: `>= 2026.2.24` ### Fix Commit(s) - `9ef0fc2ff8fa7b145d1e746d6eb030b1bf692260` OpenClaw thanks @tdjackey for reporting.
A workspace-only file-system guard mismatch allowed `@`-prefixed absolute paths to bypass boundary validation in some tool path checks. ### Impact When `tools.fs.workspaceOnly=true`, certain `@`-prefixed absolute paths (for example `@/etc/passwd`) could be validated before canonicalization while runtime path handling normalized the prefix differently. In affected code paths this could permit reads outside the intended workspace boundary. Per `SECURITY.md`, OpenClaw is primarily a personal-assistant runtime with trusted-user assumptions, and this path is gated behind non-default sandbox/tooling configuration. That reduces practical exposure, but the bypass is still a security bug and is fixed. ### Affected Packages / Versions - Package: `openclaw` (npm) - Latest published at triage time: `2026.2.23` - Affected versions: `<= 2026.2.23` - Patched versions: `>= 2026.2.24` ### Fix Commit(s) - `9ef0fc2ff8fa7b145d1e746d6eb030b1bf692260` OpenClaw thanks @tdjackey for reporting.
Versiones de OpenClaw anteriores a 2026.2.24 contienen una vulnerabilidad de salto de ruta donde las rutas absolutas con prefijo '@' eluden la validación de límites del sistema de archivos solo para el espacio de trabajo debido a una falta de coincidencia en la canonización. Los atacantes pueden explotar esto creando rutas con prefijo '@' como @/etc /passwd para leer archivos fuera del límite del espacio de trabajo previsto cuando tools.fs.workspaceOnly está habilitado.
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 3.1 | Primary | cve.org | 6.5 | — | — | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| 3.1 | Primary | NVD | 6.5 | 2.8 | 3.6 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| 3.1 | Secondary | GHSA | 7.5 | — | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| 3.1 | Secondary | NVD | 7.5 | 3.9 | 3.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| 4.0 | Primary | cve.org | 6.0 | — | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| 4.0 | Secondary | NVD | 6.0 | — | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
| 4.0 | Secondary | GHSA | 5.7 | — | — | CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |