OpenClaw has agent avatar symlink traversal in gateway session metadata

View on GitHub ↗

Description

Summary

A crafted local avatar path could follow a symlink outside the agent workspace and return arbitrary file contents as a base64 data: URL in gateway responses.

Impact

  • Confidentiality impact: local file read in the gateway process context.
  • Exfiltration path: agents.list can return the resulting avatarUrl payload.

Affected Components

  • src/gateway/session-utils.ts (resolveIdentityAvatarUrl)

Affected Packages / Versions

  • Package: openclaw (npm)
  • Introduced: v2026.1.21
  • Affected published versions: <= 2026.2.21-2
  • Planned patched version: 2026.2.22

Remediation

  • Resolve workspace and avatar paths with realpath and enforce realpath containment.
  • Open files with O_NOFOLLOW when available.
  • Compare pre-open and opened file identity (dev/ino) to block swap races.
  • Add regression tests for outside-workspace symlink rejection and in-workspace symlink allowance.

Fix Commit(s)

  • 3d0337504349954237d09e4d957df5cb844d5e77

OpenClaw thanks @aether-ai-agent for reporting.

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-03-04 19:02:59 UTC
Updated
2026-03-04 19:03:00 UTC
GitHub reviewed
2026-03-04 19:02:59 UTC

CVSS Scores

Base score Version Severity Vector
6.9 4.0
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Click to expand
Attack vector (AV:L)
Attacker needs local access on the target system.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:N)
No additional preconditions are required beyond normal reachability.
Privileges required (PR:N)
No privileges are required.
User interaction (UI:N)
No user interaction is required.
Vulnerable system confidentiality impact (VC:H)
High confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:N)
No integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:N)
No availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:N)
No confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:N)
No integrity impact on subsequent systems.
Subsequent system availability impact (SA:N)
No availability impact on subsequent systems.

Identifiers

Type Value
GHSA GHSA-9mph-4f7v-fmvh ↗

CWEs

CWE id Name
CWE-59 Improper Link Resolution Before File Access ('Link Following')

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
npm openclaw < 2026.2.22 2026.2.22

References

cvelogic Threat Intelligence