CVE-2026-32060
Path Traversal in OpenClaw apply_patch Allows Arbitrary File Modification
Publication date: 2026-03-11
Last updated on: 2026-03-16
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.2.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32060 is a high-severity path traversal vulnerability in OpenClaw versions prior to 2026.2.14. It exists in the apply_patch function, which, when enabled without filesystem sandbox containment, allows attackers to use crafted file paths containing directory traversal sequences (like ../) or absolute paths to escape the intended workspace directory.
This vulnerability enables attackers to write or delete files outside the configured workspace directory, potentially modifying arbitrary files on the system.
How can this vulnerability impact me? :
The vulnerability allows unauthorized modification or deletion of files outside the intended workspace directory. This can lead to serious impacts including unauthorized file system changes, potential local file disclosure, and compromise of system integrity and availability.
- Attackers can write or delete arbitrary files on the system.
- It can lead to high confidentiality, integrity, and availability impacts.
- The vulnerability can be exploited remotely with low complexity and no user interaction required, assuming the attacker has low privileges.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-32060 vulnerability, you should immediately upgrade OpenClaw to version 2026.2.14 or later, where the vulnerability is fixed.
If upgrading is not immediately possible, consider disabling the apply_patch feature by setting tools.exec.applyPatch.enabled to false if it is not required.
Ensure that the apply_patch function runs with filesystem sandbox containment enabled by keeping the default setting tools.exec.applyPatch.workspaceOnly set to true. This enforces that patch operations are restricted to the workspace directory.
Restrict tool execution permissions and use allowlisting to limit who can trigger patch application, reducing the risk of exploitation by less-trusted users.