AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-659f-22xc-98f2: OpenClaw hook transform path containment missed symlink-resolved escapes

highvulnerability

security

Source: GitHub Advisory DatabaseMarch 3, 2026

Summary

OpenClaw's webhook transform modules (code that processes incoming webhooks) used only simple text-based path checks, allowing an attacker to use symlinks (shortcuts to files) to escape the intended directory and execute malicious code with gateway privileges. This vulnerability affects OpenClaw versions 2026.2.21-2 and earlier.

Solution / Mitigation

Update to OpenClaw version 2026.2.22 or later. The fix enforces realpath-aware containment (checking the actual resolved location of files, not just their names) before dynamically importing transform modules, while keeping existing checks for traversal attacks and absolute-path escapes. The patched version also includes tests to prevent symlink escapes in transform modules, the transforms directory, and symlink allow-cases.

Classification

Attack SophisticationModerate

Affected Packages

openclaw@<= 2026.2.21-2 (fixed: 2026.2.22)

Original source: https://github.com/advisories/GHSA-659f-22xc-98f2

First tracked: March 3, 2026 at 07:00 PM

Classified by LLM (prompt v3) · confidence: 75%