CVE-2026-35632

HIGH SEVERITY

CVSS Score & Metrics

Base Score

7.1 / 10

Vector String

                                        CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H                                    

Vulnerability Description

OpenClaw through 2026.2.22 contains a symlink traversal vulnerability in agents.create and agents.update handlers that use fs.appendFile on IDENTITY.md without symlink containment checks. Attackers with workspace access can plant symlinks to append attacker-controlled content to arbitrary files, enabling remote code execution via crontab injection or unauthorized access via SSH key manipulation.

Vulnerability Details

Published Date

April 09, 2026

Last Modified

April 15, 2026

CWE ID

CWE-61

Source

NVD

Vendor

OpenClaw

Product

OpenClaw

External References

https://github.com/openclaw/openclaw/security/advisories/GHSA-7xr2-q9vf-x4r5
https://www.vulncheck.com/advisories/openclaw-symlink-traversal-via-identity-md-appendfile-in-agents-create-update

CVE-2026-35632

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment