Main Vulnerability Database Vulnerabilities #VU128596

Path traversal in OpenClaw - #VU128596

Published: April 30, 2026

Vulnerability identifier: #VU128596

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
OpenClaw

Software vendor:
OpenClaw

Description

The vulnerability allows a remote attacker to access files outside the expected repository root.

The vulnerability exists due to path traversal in remote marketplace plugin repository handling when accepting marketplace path sources that resolve through symlinks. A remote attacker can provide a crafted repository path to access files outside the expected repository root.

Remediation

Install security update from vendor's website.

External links

https://github.com/openclaw/openclaw/security/advisories/GHSA-cr8r-7g2h-6wr6
https://github.com/openclaw/openclaw/pull/60556

Path traversal in OpenClaw - #VU128596

Description

Remediation

External links

Please verify you're human