Webhook transform modules were validated with lexical path checks only. A symlink under the allowed hooks transform tree could resolve outside the intended directory and be dynamically imported.
Affected Packages / Versions
Package: openclaw (npm)
Affected versions: <= 2026.2.21-2
Patched version (planned next release): 2026.2.22
Impact
When an attacker can cause a transform module path to reference a symlinked entry that resolves outside the trusted transform directory, the gateway may import and execute unintended JavaScript with gateway-process privileges.
Attack Preconditions
Hook transforms are enabled and reachable.
Attacker can influence transform path resolution (for example via privileged config access and/or writable filesystem path in the transform tree).
A symlink escape exists to attacker-controlled code.
Remediation
Enforce realpath-aware containment for existing path ancestors before dynamic import.
Keep lexical containment checks for traversal and absolute-path escapes.