Link following in OpenClaw - CVE-2026-27485
Published: May 1, 2026
Vulnerability identifier: #VU128849
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-27485
CWE-ID: CWE-59
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper link resolution before file access in skills/skill-creator/scripts/package_skill.py when packaging a crafted local skill directory containing symlinks. A local user can run the packaging script on attacker-controlled skill contents to disclose sensitive information.
This issue is limited to the local manual skill author packaging workflow and is not reachable via normal gateway or chat runtime paths.
How to mitigate CVE-2026-27485
Install security update from vendor's website.