CVE-2026-41364
Symlink Following Vulnerability in OpenClaw SSH Sandbox Allows Arbitrary File Write
Publication date: 2026-04-28
Last updated on: 2026-04-28
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.31 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-59 | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-41364 allows remote attackers to write arbitrary files on the affected system by escaping the SSH sandbox via symlink traversal during tar archive uploads. This unauthorized file write capability can lead to potential data integrity and availability issues on the remote host.
Such unauthorized file modifications could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of data integrity, confidentiality, and availability. If exploited, this vulnerability might enable attackers to alter or disrupt sensitive data or system files, potentially leading to breaches of regulatory requirements.
Therefore, organizations using vulnerable versions of OpenClaw should apply the patch in version 2026.3.31 promptly to mitigate risks that could affect compliance with these common standards.
Can you explain this vulnerability to me?
CVE-2026-41364 is a security vulnerability in OpenClaw versions before 2026.3.31 involving improper handling of symbolic links (symlinks) during SSH sandbox tar uploads.
Attackers can craft tar archives containing symlinks that point outside the intended upload directory (sandbox). When these archives are uploaded and extracted, the symlinks allow the attacker to escape the sandbox restrictions and write arbitrary files anywhere on the remote host.
This vulnerability arises because the SSH sandbox tar upload functionality did not validate whether symlinks resolved to paths outside the sandbox, enabling unauthorized file overwrites on the remote system.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized modification or overwriting of files on the remote host where OpenClaw is running.
By exploiting the symlink traversal flaw, an attacker with network access and limited privileges can escape the SSH sandbox and write arbitrary files, potentially leading to system compromise, data corruption, or denial of service.
The CVSS v4.0 score of 7.2 and v3.1 score of 8.1 reflect a high severity with significant impact on system integrity and availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the uploading of tar archives containing symbolic links that escape the SSH sandbox and write arbitrary files on the remote host.
To detect exploitation attempts on your system or network, you can monitor for unusual tar upload activities or inspect uploaded tar archives for symlinks that point outside the intended upload directory.
Suggested commands include extracting and inspecting tar files before processing them, for example:
- List the contents of a tar archive and check for symlinks: tar -tvf suspicious-upload.tar
- Extract the tar archive in a safe directory and find symlinks: tar -xvf suspicious-upload.tar -C /tmp/safe-dir && find /tmp/safe-dir -type l -ls
- Check if any symlink points outside the intended directory by resolving symlink targets, for example using readlink or realpath commands.
Additionally, monitoring SSH upload logs for unexpected file writes or errors related to symlink validation may help detect attempts to exploit this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade OpenClaw to version 2026.3.31 or later, where the vulnerability has been fixed.
The fix enforces strict validation of symlinks during SSH sandbox tar uploads, rejecting any symlink that resolves outside the upload directory to prevent sandbox escape.
Until you can upgrade, consider restricting or disabling SSH sandbox tar uploads if possible, or implementing additional monitoring to detect suspicious uploads containing symlinks.
Review and apply the patch referenced in the GitHub Security Advisory GHSA-fv94-qvg8-xqpw and the commit 3d5af14984ac1976c747a8e11581d697bd0829dc to ensure symlink validation is enforced.