Main Vulnerability Database Vulnerabilities #VU128822

Link following in OpenClaw - CVE-2026-32020

Published: May 1, 2026

Vulnerability identifier: #VU128822

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-32020

CWE-ID: CWE-59

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
OpenClaw

Software vendor:
OpenClaw

Description

The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to improper link resolution before file access in the Control UI static file handler when serving Control UI assets and SPA fallback files. A local user can place a symlink under the Control UI root to disclose sensitive information.

Exploitation requires symlinks to exist inside the Control UI root.

Remediation

Install security update from vendor's website.

External links

https://github.com/openclaw/openclaw/security/advisories/GHSA-5ghc-98wh-gwwf
https://github.com/openclaw/openclaw/commit/7c500ff6236fa087ec1ec88696ca9f6881e90dc5

Link following in OpenClaw - CVE-2026-32020

Description

Remediation

External links

Please verify you're human