Main Vulnerability Database Vulnerabilities #VU125123

#VU125123 Link following in OpenClaw - CVE-2026-22180

Published: April 8, 2026

Vulnerability identifier: #VU125123

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-22180

CWE-ID: CWE-59

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
OpenClaw

Software vendor:
OpenClaw

Description

The vulnerability allows a local user to write files outside intended roots.

The vulnerability exists due to improper link resolution before file access in browser output handling and related write paths when processing path-boundary flows. A local user can use a crafted path or symlink rebind to write files outside intended roots.

The issue involves browser output as well as related install and skills write paths.

Remediation

Install security update from vendor's website.

External links

https://github.com/openclaw/openclaw/security/advisories/GHSA-3pxq-f3cp-jmxp

#VU125123 Link following in OpenClaw - CVE-2026-22180

Description

Remediation

External links

Please verify you're human