CVE-2026-22180

OpenClaw versions prior to 2026.3.2 contain a path-confinement bypass vulnerability in browser output handling that allows writes outside intended root directories. Attackers can exploit insufficient canonical path-boundary validation in file write operations to escape root-bound restrictions and write files to arbitrary locations.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/openclaw/openclaw/commit/104d32bb64cdf19d5e77f70553a511a2ae90ad1c	Patch
https://github.com/openclaw/openclaw/security/advisories/GHSA-3pxq-f3cp-jmxp	Vendor Advisory
https://www.vulncheck.com/advisories/openclaw-path-confinement-bypass-in-browser-output-and-file-write-operations	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

History

20 Mar 2026, 20:51

Type	Values Removed	Values Added
CPE		cpe:2.3:a:openclaw:openclaw::::::node.js::*
First Time		Openclaw openclaw Openclaw
References	~~() https://github.com/openclaw/openclaw/commit/104d32bb64cdf19d5e77f70553a511a2ae90ad1c -~~	() https://github.com/openclaw/openclaw/commit/104d32bb64cdf19d5e77f70553a511a2ae90ad1c - Patch
References	~~() https://github.com/openclaw/openclaw/security/advisories/GHSA-3pxq-f3cp-jmxp -~~	() https://github.com/openclaw/openclaw/security/advisories/GHSA-3pxq-f3cp-jmxp - Vendor Advisory
References	~~() https://www.vulncheck.com/advisories/openclaw-path-confinement-bypass-in-browser-output-and-file-write-operations -~~	() https://www.vulncheck.com/advisories/openclaw-path-confinement-bypass-in-browser-output-and-file-write-operations - Third Party Advisory

18 Mar 2026, 14:52

Type	Values Removed	Values Added
Summary		(es) Versiones de OpenClaw anteriores a la 2026.3.2 contienen una vulnerabilidad de omisión de confinamiento de ruta en el manejo de la salida del navegador que permite escrituras fuera de los directorios raíz previstos. Los atacantes pueden explotar la validación insuficiente de los límites de ruta canónica en las operaciones de escritura de archivos para evadir las restricciones ligadas a la raíz y escribir archivos en ubicaciones arbitrarias.

18 Mar 2026, 02:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-18 02:16

Updated : 2026-03-20 20:51

NVD link : CVE-2026-22180

Mitre link : CVE-2026-22180

CVE.ORG link : CVE-2026-22180

JSON object : View

Products Affected

openclaw

openclaw

CWE

CWE-59

Improper Link Resolution Before File Access ('Link Following')

5.3 /10