GHSA-9mph-4f7v-fmvh: OpenClaw has agent avatar symlink traversal in gateway session metadata
Summary
OpenClaw has a symlink traversal vulnerability (a security flaw where symbolic links can trick the system into accessing files outside intended directories) in its gateway that allows an attacker to read arbitrary local files and return them as base64-encoded data URLs. This affects OpenClaw versions up to 2026.2.21-2, where a crafted avatar path can follow a symlink outside the agent workspace and expose file contents through gateway responses.
Solution / Mitigation
The planned patched version is 2026.2.22. The remediation involves: (1) resolving workspace and avatar paths with `realpath` (a function that converts paths to their actual, canonical form) and enforcing that paths stay within the workspace; (2) opening files with `O_NOFOLLOW` (a flag that prevents following symlinks) when available; (3) comparing the file identity before and after opening (using `dev`/`ino` identifiers) to block race condition attacks; and (4) adding regression tests to ensure symlinks outside the workspace are rejected while symlinks inside are allowed.
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2022-21727: Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for `Dequantize` is vulne
CVE-2026-22252: LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbi
Original source: https://github.com/advisories/GHSA-9mph-4f7v-fmvh
First tracked: March 4, 2026 at 03:00 PM
Classified by LLM (prompt v3) · confidence: 85%