The gateway agents.files.get and agents.files.set methods allowed symlink traversal for allowlisted workspace files. A symlinked allowlisted file (for example AGENTS.md) could resolve outside the agent workspace and be read/written by the gateway process.
This could enable arbitrary host file read/write within the gateway process permissions, and chained impact up to code execution depending on which files are overwritten.
openclaw (npm)<= 2026.2.242026.2.24>= 2026.2.25 agents.files now resolves real workspace paths, enforces containment for resolved targets, rejects out-of-workspace symlink targets, and keeps in-workspace symlink targets supported. The patch also adds gateway regression tests for blocked escapes and valid in-workspace symlink behavior.
125f4071bcbc0de32e769940d07967db47f09d3dpatched_versions is intentionally pre-set to the release (2026.2.25). Advisory published with npm release 2026.2.25.
OpenClaw thanks @tdjackey for reporting.
| Score | Percentile |
|---|---|
| 0.11% | 29.88% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 8.8 | 3.1 | — |
|
| 9.3 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-fgvx-58p6-gjwc ↗ |
| CVE | CVE-2026-32013 ↗ |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | openclaw | < 2026.2.25 | 2026.2.25 | — |