AI Threat Alert
CVE-2026-32024
MEDIUMOpenClaw versions prior to 2026.2.22 contain a symlink traversal vulnerability in avatar handling that allows attackers to read arbitrary files outside the configured workspace boundary. Remote attackers can exploit this by requesting avatar resources through gateway surfaces to disclose local...
Full CISO analysis pending enrichment.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | pip | — | No patch |
Do you use OpenClaw? You're affected.
How severe is it?
What is the attack surface?
What should I do?
No patch available
Monitor for updates. Consider compensating controls or temporary mitigations.
Which compliance frameworks are affected?
Compliance analysis pending. Sign in for full compliance mapping when available.
Frequently Asked Questions
What is CVE-2026-32024?
OpenClaw versions prior to 2026.2.22 contain a symlink traversal vulnerability in avatar handling that allows attackers to read arbitrary files outside the configured workspace boundary. Remote attackers can exploit this by requesting avatar resources through gateway surfaces to disclose local files accessible to the OpenClaw process.
Is CVE-2026-32024 actively exploited?
No confirmed active exploitation of CVE-2026-32024 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-32024?
No patch is currently available. Monitor vendor advisories for updates.
What is the CVSS score for CVE-2026-32024?
CVE-2026-32024 has a CVSS v3.1 base score of 5.5 (MEDIUM).
What are the technical details?
Original Advisory
OpenClaw versions prior to 2026.2.22 contain a symlink traversal vulnerability in avatar handling that allows attackers to read arbitrary files outside the configured workspace boundary. Remote attackers can exploit this by requesting avatar resources through gateway surfaces to disclose local files accessible to the OpenClaw process.
Weaknesses (CWE)
CWE-59 — Improper Link Resolution Before File Access ('Link Following'): The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
- [Architecture and Design] Follow the principle of least privilege when assigning access rights to entities in a software system. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References
- github.com/openclaw/openclaw/commit/3d0337504349954237d09e4d957df5cb844d5e77 patch
- github.com/openclaw/openclaw/commit/6970c2c2db3ee069ef0fff0ade5cfbdd0134f9d2 patch
- github.com/openclaw/openclaw/security/advisories/GHSA-rx3g-mvc3-qfjf vendor-advisory
- vulncheck.com/advisories/openclaw-symlink-traversal-in-avatar-handling third-party-advisory
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 Analysis pending
Same package: openclaw CVE-2026-32922 9.9 Analysis pending
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw CVE-2026-32038 9.8 Analysis pending
Same package: openclaw