AI Threat Alert

CVE-2026-43570: OpenClaw: symlink traversal exposes host filesystem

GHSA-35mw-5vvr-vrxc MEDIUM
Published May 5, 2026
CISO Take

OpenClaw versions prior to 2026.4.5 allow unauthenticated remote attackers to read arbitrary files outside the marketplace repository sandbox through crafted symlink paths — a high-confidentiality, zero-integrity-impact vulnerability (CVSS 6.5). While absent from CISA KEV and lacking a public exploit, this package sits in the top 77th EPSS percentile for exploitation likelihood and carries 135 known CVEs, signaling a persistent security posture problem. Critically, AIID incident #1368 already documents threat actors distributing credential-stealing skills through OpenClaw's marketplace, making this traversal a natural second-stage amplifier — once a malicious skill is installed, symlinks could harvest API keys, .env files, and agent configuration secrets from the host. Upgrade immediately to 2026.4.5, audit all installed marketplace skills, and run OpenClaw in a filesystem-isolated container until patched.

Sources: NVD EPSS GitHub Advisory ATLAS

What is the risk?

Medium-high risk for AI agent deployments consuming OpenClaw marketplace content. The CVSS 6.5 score understates operational risk in AI pipeline contexts where OpenClaw agents often hold API keys, model credentials, and sensitive data files. The low complexity attack (AV:N/AC:L) requires only user interaction — a user browsing or installing from the marketplace. EPSS top 77th percentile and documented threat actor activity in the OpenClaw skills ecosystem (AIID #1368) elevate this beyond typical medium severity. The 135 CVEs in the same package indicate a systemic security deficit rather than an isolated defect.

How does the attack unfold?

Marketplace Infiltration
Attacker publishes a crafted repository to the OpenClaw marketplace containing symlinks pointing outside the repository root to sensitive host paths such as ../../.env or ../../.ssh/id_rsa.
AML.T0010.005
User Execution
Victim's OpenClaw agent fetches or installs the marketplace skill, triggering the vulnerable path handling code that follows crafted symlinks without canonicalization or sandbox validation.
AML.T0011
Local File Access
Symlinks resolve to sensitive files outside the repository directory — API keys, agent configs, SSH keys, or .env files containing cloud and model service credentials.
AML.T0037
Credential Exfiltration
Accessed file contents are returned through the marketplace interaction context, enabling the attacker to harvest credentials and pivot laterally into AI infrastructure.
AML.T0025

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw npm >= 2026.3.22, < 2026.4.5 2026.4.5
4 dependents 36% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
6.5 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 24% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI Required
S Unchanged
C High
I None
A None

What should I do?

6 steps

  1. Patch: Upgrade to openclaw >= 2026.4.5 immediately — this is the only complete fix.

  2. Isolate: Run OpenClaw in containers with minimal filesystem mounts — avoid mounting home directories, /etc, or credential stores.

  3. Audit: Review all installed marketplace skills for suspicious symlink entries; verify skill provenance and publisher identity.

  4. Detect: Monitor for unexpected file reads outside expected workspace directories in OpenClaw process logs; alert on symlink resolution to paths outside /tmp or designated workspace.

  5. Restrict: Disable remote marketplace repository access in environments where it is not operationally required.

  6. Rotate: If OpenClaw processed untrusted marketplace content before patching, rotate all secrets accessible from the working directory.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain Data Extraction Agent Plugin AML.T0010.005 AML.T0025 AML.T0037 AML.T0083

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.8.4 - AI system security
NIST AI RMF
GOVERN 6.1 - Policies and procedures for AI supply chain
OWASP LLM Top 10
LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-43570?

OpenClaw versions prior to 2026.4.5 allow unauthenticated remote attackers to read arbitrary files outside the marketplace repository sandbox through crafted symlink paths — a high-confidentiality, zero-integrity-impact vulnerability (CVSS 6.5). While absent from CISA KEV and lacking a public exploit, this package sits in the top 77th EPSS percentile for exploitation likelihood and carries 135 known CVEs, signaling a persistent security posture problem. Critically, AIID incident #1368 already documents threat actors distributing credential-stealing skills through OpenClaw's marketplace, making this traversal a natural second-stage amplifier — once a malicious skill is installed, symlinks could harvest API keys, .env files, and agent configuration secrets from the host. Upgrade immediately to 2026.4.5, audit all installed marketplace skills, and run OpenClaw in a filesystem-isolated container until patched.

Is CVE-2026-43570 actively exploited?

No confirmed active exploitation of CVE-2026-43570 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-43570?

1. Patch: Upgrade to openclaw >= 2026.4.5 immediately — this is the only complete fix. 2. Isolate: Run OpenClaw in containers with minimal filesystem mounts — avoid mounting home directories, /etc, or credential stores. 3. Audit: Review all installed marketplace skills for suspicious symlink entries; verify skill provenance and publisher identity. 4. Detect: Monitor for unexpected file reads outside expected workspace directories in OpenClaw process logs; alert on symlink resolution to paths outside /tmp or designated workspace. 5. Restrict: Disable remote marketplace repository access in environments where it is not operationally required. 6. Rotate: If OpenClaw processed untrusted marketplace content before patching, rotate all secrets accessible from the working directory.

What systems are affected by CVE-2026-43570?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Plugin and skills marketplaces, Automated AI pipelines, CI/CD enrichment workflows.

What is the CVSS score for CVE-2026-43570?

CVE-2026-43570 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.32%.

What is the AI security impact?

Affected AI Architectures

AI agent frameworksPlugin and skills marketplacesAutomated AI pipelinesCI/CD enrichment workflows

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool
AML.T0025 Exfiltration via Cyber Means
AML.T0037 Data from Local System
AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.8.4
NIST AI RMF: GOVERN 6.1
OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

OpenClaw versions 2026.3.22 before 2026.4.5 contain a symlink traversal vulnerability in remote marketplace repository path handling that allows attackers to escape the expected repository root. Attackers can exploit this by providing crafted symlink paths to access files outside the intended repository directory.

Exploitation Scenario

A threat actor registers an account on the OpenClaw marketplace and publishes a seemingly legitimate 'data analysis skill' repository. Inside, the repository contains symlinks pointing to ../../../../../../.env, ../../../.ssh/id_rsa, or OpenClaw agent configuration files. When a security analyst or automated OpenClaw pipeline installs or previews the skill, the vulnerable path handling code follows the symlinks without canonicalization, returning the contents of those sensitive files to the attacker-controlled interaction context. In AI pipeline environments, this could expose LLM API keys (OpenAI, Anthropic), vector database credentials, or training data paths — enabling the attacker to pivot into the broader AI infrastructure. Given AIID #1368, threat actors are already operating in this marketplace; this CVE gives them a low-friction file-read primitive alongside their existing execution techniques.

Weaknesses (CWE)

CWE-61 UNIX Symbolic Link (Symlink) Following Primary

CWE-61 — UNIX Symbolic Link (Symlink) Following: The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.

  • [Implementation] Symbolic link attacks often occur when a program creates a tmp directory that stores files/links. Access to the directory should be restricted to the program as to prevent attackers from manipulating the files.
  • [Architecture and Design] Follow the principle of least privilege when assigning access rights to entities in a software system. Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References

Timeline

Published
May 5, 2026
Last Modified
May 8, 2026
First Seen
May 9, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33579 9.9

OpenClaw: scope bypass escalates low-priv to admin

Same package: openclaw
CRITICAL CVE-2026-32922 9.9

OpenClaw: privilege escalation to RCE via token scope bypass

Same package: openclaw
CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-32038 9.8

Analysis pending

Same package: openclaw
CRITICAL CVE-2026-53838 9.8

OpenClaw: approval scope bypass via reconnection state

Same package: openclaw
Back to Threat Feed