CVE-2026-32060

OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in apply_patch that allows attackers to write or delete files outside the configured workspace directory. When apply_patch is enabled without filesystem sandbox containment, attackers can exploit crafted paths including directory traversal sequences or absolute paths to escape workspace boundaries and modify arbitrary files.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/openclaw/openclaw/commit/5544646a09c0121fca7d7093812dc2de8437c7f1	Patch
https://github.com/openclaw/openclaw/security/advisories/GHSA-r5fq-947m-xm57	Patch Vendor Advisory
https://www.vulncheck.com/advisories/openclaw-path-traversal-in-apply-patch-via-crafted-paths	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

History

16 Mar 2026, 17:39

Type	Values Removed	Values Added
CPE		cpe:2.3:a:openclaw:openclaw::::::node.js::*
First Time		Openclaw openclaw Openclaw
References	~~() https://github.com/openclaw/openclaw/commit/5544646a09c0121fca7d7093812dc2de8437c7f1 -~~	() https://github.com/openclaw/openclaw/commit/5544646a09c0121fca7d7093812dc2de8437c7f1 - Patch
References	~~() https://github.com/openclaw/openclaw/security/advisories/GHSA-r5fq-947m-xm57 -~~	() https://github.com/openclaw/openclaw/security/advisories/GHSA-r5fq-947m-xm57 - Patch, Vendor Advisory
References	~~() https://www.vulncheck.com/advisories/openclaw-path-traversal-in-apply-patch-via-crafted-paths -~~	() https://www.vulncheck.com/advisories/openclaw-path-traversal-in-apply-patch-via-crafted-paths - Third Party Advisory
Summary		(es) Las versiones de OpenClaw anteriores a 2026.2.14 contienen una vulnerabilidad de salto de ruta en apply_patch que permite a los atacantes escribir o eliminar archivos fuera del directorio de espacio de trabajo configurado. Cuando apply_patch está habilitado sin contención de sandbox del sistema de archivos, los atacantes pueden explotar rutas manipuladas, incluyendo secuencias de salto de directorio o rutas absolutas, para escapar de los límites del espacio de trabajo y modificar archivos arbitrarios.

11 Mar 2026, 14:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-11 14:16

Updated : 2026-03-16 17:39

NVD link : CVE-2026-32060

Mitre link : CVE-2026-32060

CVE.ORG link : CVE-2026-32060

JSON object : View

Products Affected

openclaw

openclaw

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

8.8 /10