Main Vulnerability Database Vulnerabilities #VU128822

Link following in OpenClaw - CVE-2026-32020

Published: May 1, 2026

Vulnerability identifier: #VU128822

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-32020

CWE-ID: CWE-59

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: OpenClaw

Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to improper link resolution before file access in the Control UI static file handler when serving Control UI assets and SPA fallback files. A local user can place a symlink under the Control UI root to disclose sensitive information.

Exploitation requires symlinks to exist inside the Control UI root.

How to mitigate CVE-2026-32020

Install security update from vendor's website.

Sources

https://github.com/openclaw/openclaw/security/advisories/GHSA-5ghc-98wh-gwwf
https://github.com/openclaw/openclaw/commit/7c500ff6236fa087ec1ec88696ca9f6881e90dc5

Link following in OpenClaw - CVE-2026-32020

Detailed vulnerability description

How to mitigate CVE-2026-32020

Sources

Please verify you're human