Listen to this Post
The vulnerability resides in how OpenClaw’s workspace-only path validation handles symlinks. When an in-workspace symlink points outside the workspace to a non-existent leaf, the boundary check resolves aliases in a way that allows the non-existent out-of-root symlink target to pass the initial validation window. During the first write operation through the guarded workspace path, the validation fails to properly evaluate the missing-leaf alias path against canonical containment. This allows the write operation to create the file outside the workspace boundary, effectively bypassing the sandbox restrictions. The fix implements hardened canonical boundary resolution that evaluates missing-leaf alias paths against canonical containment while preserving valid in-root aliases, closing the first-write escape condition without regressing legitimate in-root alias usage.
dailycve form:
Platform: openclaw npm
Version: <= 2026.2.25
Vulnerability: Workspace boundary bypass
Severity: High
date: 2026-03-12
Prediction: 2026.3.15
What Undercode Say:
Analytics:
- The vulnerability allows workspace escape via symlinks with non-existent targets
- First-write operations bypass validation when leaf path doesn’t exist
- Canonical path resolution failed to properly evaluate missing-leaf aliases
- Fix implements hardened containment checks for non-existent paths
- Affects all versions up to 2026.2.25 inclusive
- Patched in version 2026.2.26 (planned release)
- Two fix commits: 46eba86b45e9 and 1aef45bc060b
- Reported by researcher @tdjackey
- No public exploits reported at disclosure time
- Impacts npm distribution only
Commands:
Check current OpenClaw version
npm list openclaw
Check if vulnerable version is installed
npm list openclaw | grep -E "openclaw@(2[0-9]{3}.(0|1|2[0-9])|2026.[0-1].[0-9]+|2026.2.(0|1[0-9]|2[0-5]))"
Update to patched version when available
npm install [email protected]
Verify symlink containment manually
ls -la /path/to/workspace/
find /path/to/workspace/ -type l -exec ls -la {} \;
Test workspace boundary with symlink
ln -s /outside/workspace/nonexistent /path/to/workspace/testlink
touch /path/to/workspace/testlink
Exploit:
- Create symlink inside workspace pointing to outside path that doesn’t exist
- Trigger first write operation through the symlink path
- Validation passes because target path resolution returns non-existent
- File gets created outside workspace at symlink target location
- Subsequent operations maintain access to escaped location
Protection from this CVE:
- Upgrade to OpenClaw 2026.2.26 or later
- Audit existing symlinks inside workspaces
- Review files created outside workspace boundaries
- Implement filesystem monitoring for unexpected writes
- Apply principle of least privilege for workspace processes
- Use filesystem quotas and mount namespaces as defense-in-depth
- Regular security audits of path validation logic
Impact:
- Sandbox escape allowing writes outside workspace
- Potential unauthorized file creation in sensitive directories
- Integrity violation of workspace isolation guarantees
- Possible privilege escalation if outside paths are protected
- Data contamination risks from unexpected file locations
- Breakdown of security boundaries for multi-tenant deployments
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

