Executive Summary

This vulnerability exists in OpenClaw versions through 2026.2.22 and involves a symlink traversal issue in the agents.create and agents.update handlers. These handlers use the fs.appendFile function on a file named IDENTITY.md without checking for symlink containment. As a result, an attacker who has access to the workspace can create symbolic links that cause attacker-controlled content to be appended to arbitrary files.

This can lead to serious consequences such as remote code execution through crontab injection or unauthorized access by manipulating SSH keys.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can have significant impacts including allowing an attacker with workspace access to execute arbitrary code remotely by injecting malicious entries into crontab files.

Additionally, it can enable unauthorized access by modifying SSH keys, potentially compromising system security and allowing attackers to gain persistent access.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows attackers with workspace access to append arbitrary content to critical system files, potentially leading to remote code execution or unauthorized access via SSH key manipulation.

Such unauthorized access and potential system compromise could lead to violations of data protection and security requirements mandated by common standards and regulations like GDPR and HIPAA, which require safeguarding system integrity and preventing unauthorized access to sensitive data.

However, the provided information does not explicitly discuss compliance impacts or specific regulatory considerations.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves symlink traversal in the OpenClaw agents.create and agents.update handlers, which append data to the IDENTITY.md file without symlink containment checks.

To detect if your system is vulnerable, you can check for the presence of symbolic links named IDENTITY.md within agent workspaces that point to sensitive files such as /etc/crontab, ~/.ssh/authorized_keys, or shell profile files.

Suggested commands to detect suspicious symlinks include:

• Find symlinks named IDENTITY.md in the workspace directories: find /path/to/agent/workspaces -type l -name 'IDENTITY.md' -ls
• Check where these symlinks point to: ls -l /path/to/agent/workspaces/*/IDENTITY.md
• Verify if the symlink targets are sensitive files: for link in $(find /path/to/agent/workspaces -type l -name 'IDENTITY.md'); do readlink -f "$link"; done

Additionally, monitoring for unexpected modifications to critical files like /etc/crontab or ~/.ssh/authorized_keys could indicate exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting workspace access to trusted users only, as the vulnerability requires local write access to the agent workspace.

Remove or audit any existing symlinks named IDENTITY.md within agent workspaces to ensure they do not point to sensitive files.

Implement monitoring and alerting for unauthorized changes to critical system files such as /etc/crontab and ~/.ssh/authorized_keys.

Avoid using vulnerable versions of OpenClaw (prior to 2026.2.22) until a patch is released, or consider disabling the agents.create and agents.update handlers if possible.

Apply strict file system permissions to prevent unauthorized creation of symlinks in the agent workspace.

Useful 0 Not Useful 0