GHSA-m34q-h93w-vg5x: openclaw: path traversal enables remote dir overwrite

Published April 7, 2026

CISO Take

openclaw's OpenShell mirror-sync backend accepted arbitrary absolute paths for remoteWorkspaceDir and remoteAgentWorkspaceDir without validation, allowing any caller who could influence those config values to trigger deletion and overwrite of any remote directory the process had access to. For AI teams running openclaw in automated agent pipelines or shared development environments, this is a destructive write primitive — an attacker who controls config delivery (e.g., via a malicious skill, compromised config store, or MITM of config sync) could wipe production agent workspaces or replace them with attacker-controlled content, potentially enabling follow-on code execution. There is no public exploit and it is not in CISA KEV, but the package has 37 prior CVEs and a history of supply-chain abuse in its skills ecosystem. Upgrade to openclaw >= 2026.4.2 immediately; audit any pipeline that passes remote workspace paths from untrusted sources.

Sources: GitHub Advisory ATLAS CISA KEV

Risk Assessment

Medium severity with above-average contextual risk for AI environments. The CWE-22 path traversal is a well-understood vulnerability class, but the destructive nature (delete + overwrite) elevates impact beyond typical read-only traversal bugs. Exploitability requires ability to influence OpenShell config values — non-trivial but achievable via malicious skills, misconfigured config management, or insider threat. No EPSS data or public PoC exists. The 37 prior CVEs in the same package signal persistent security debt. Highest risk in multi-tenant or CI/CD contexts where openclaw agents run with broad filesystem access.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
openclaw	npm	<= 2026.4.1	`2026.4.2`

Do you use openclaw? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Moderate

Recommended Action

Patch immediately: upgrade openclaw to >= 2026.4.2 which constrains mirror sync roots to allowed paths.
Until patched, disable or firewall the OpenShell mirror-sync backend if not actively needed.
Audit current OpenShell configurations for unexpected absolute paths in remoteWorkspaceDir or remoteAgentWorkspaceDir values.
Enforce least-privilege: run openclaw processes with a dedicated service account scoped to only the directories they legitimately need.
Review audit logs for mirror-sync operations targeting paths outside expected workspace roots.
In CI/CD pipelines, validate all config values sourced from external inputs before passing to openclaw.
Given the 37 CVEs in this package, evaluate whether openclaw is a long-term acceptable dependency or whether migration is warranted.

Classification

Supply Chain Code Execution Agent Framework AML.T0010.005 - AI Agent Tool AML.T0049 - Exploit Public-Facing Application AML.T0081 - Modify AI Agent Configuration AML.T0101 - Data Destruction via AI Agent Tool Invocation

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.9.3 - Security of AI system inputs

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain the value of deployed AI are evaluated and applied

OWASP LLM Top 10

LLM08:2025 - Excessive Agency

Related AI Incidents (1)

Malicious OpenClaw Skills Reportedly Delivered AMOS Stealer and Exfiltrated Credentials via ClawHub

Feb 2026 Unknown threat actors distributing malicious OpenClaw skills, Unknown threat actors, Unknown malicious actors medium confidence

Both involve the openclaw ecosystem as the attack surface. The malicious skills vector in AIID #1368 provides a realistic delivery mechanism for exploiting this config manipulation vulnerability — a poisoned ClawHub skill could modify OpenShell config values to trigger the destructive path traversal during mirror-sync.

AIID #1368

Source: AI Incident Database (AIID)

Technical Details

NVD Description

## Summary Before OpenClaw 2026.4.2, the OpenShell mirror backend accepted arbitrary absolute `remoteWorkspaceDir` and `remoteAgentWorkspaceDir` values. In mirror mode, those paths were then used as the target of remote cleanup and overwrite operations. ## Impact If an attacker could influence those OpenShell config values, mirror sync could delete the contents of an unintended remote directory and replace them with uploaded workspace data. This was a destructive remote-path bug in the mirror-sync path. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `b21c9840c2e38f4bb338d031511b479d5f07ca25` — constrain OpenShell mirror sync roots ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @jufeng123768 for reporting.

Exploitation Scenario

An adversary with access to openclaw's skill/plugin ecosystem (as seen in AIID #1368 where ~17% of ClawHub skills were reportedly malicious) publishes a skill that modifies the OpenShell mirror configuration to set remoteWorkspaceDir to a sensitive path such as /opt/ai-platform/models or /home/service-account/.ssh. When the victim's openclaw agent runs the compromised skill and subsequently triggers a mirror-sync operation, the backend deletes the contents of that remote directory and replaces it with the attacker's uploaded workspace data. In a CI/CD context, this could overwrite model artifacts with backdoored versions, or destroy training checkpoints. In an agentic workflow with persistent memory, overwriting the agent's workspace could inject malicious instructions into future agent sessions.