CVE-2026-27545
Symlink Rebinding Approval Bypass in OpenClaw Enables Command Execution
Publication date: 2026-03-18
Last updated on: 2026-03-18
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.2.26 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-367 | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27545 is a security vulnerability in OpenClaw versions prior to 2026.2.26 that affects the system.run execution approval process. The issue arises because an attacker can exploit writable parent symbolic links (symlinks) in the current working directory (cwd) to bypass execution approval controls.
Specifically, after a command is approved for execution, the attacker can rebind or modify mutable parent symlink path components between the approval and the actual execution time. This allows the attacker to redirect the command execution to a different, unintended filesystem location while preserving the visible working directory string, effectively bypassing the approval mechanism.
The vulnerability is a type of Time-of-check Time-of-use (TOCTOU) race condition (CWE-367) and involves improper link resolution before file access (CWE-59).
The fix introduced in OpenClaw 2026.2.26 involves creating an immutable, structured execution plan at approval time (called systemRunPlanV2) that freezes critical parameters such as command arguments, current working directory, agent ID, and session key. This plan is prepared by a new command system.run.prepare and enforced strictly during execution, rejecting any mutable parent symlink cwd paths to prevent rebinding attacks.
How can this vulnerability impact me? :
This vulnerability allows an attacker with limited privileges to bypass the system.run command approval mechanism in OpenClaw by manipulating symlink paths after approval but before execution.
As a result, commands that were approved to run in a specific filesystem location can be executed from a different, unauthorized location. This can lead to unauthorized command execution, potentially allowing attackers to perform actions outside the intended workspace boundaries.
The impact includes the possibility of privilege escalation, unauthorized access to sensitive files or directories, and execution of malicious commands that were not properly approved.
The vulnerability has a medium severity rating with a CVSS v4 score of 6.9, indicating a moderate risk that requires timely patching.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves an approval bypass in OpenClaw's system.run execution caused by mutable parent symlinks in the current working directory (cwd) that can be rebound after approval but before execution. Detection involves monitoring for suspicious changes or rebinding of writable parent symlinks in directories where OpenClaw commands are approved and executed.
Specifically, detection could focus on identifying any symlink target changes in the parent directories of the cwd between the approval and execution phases of system.run commands.
However, the provided resources do not include explicit detection commands or scripts to identify this vulnerability on a network or system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate CVE-2026-27545, immediately upgrade OpenClaw to version 2026.2.26 or later, which includes a patch that hardens the system.run approval process.
The patch introduces an immutable, structured execution plan (`systemRunPlanV2`) that freezes critical execution parameters such as command arguments, current working directory, agent ID, and session key at approval time, preventing any runtime mutation or symlink rebind bypass.
Additionally, the fix rejects mutable parent symlink cwd paths during approval plan building, ensuring that any attempt to rebind symlinks after approval is blocked.
Further security improvements include enhanced validation, canonical boundary resolution for workspace filesystem aliases, and centralized approval context and error handling to prevent inconsistent approval validation.
If upgrading immediately is not possible, consider restricting writable permissions on parent symlinks in directories used by OpenClaw to reduce the risk of symlink rebinding attacks.