GHSA-m34q-h93w-vg5x: openclaw: path traversal enables remote dir overwrite

GHSA-m34q-h93w-vg5x MEDIUM
Published April 7, 2026
CISO Take

openclaw's OpenShell mirror-sync backend accepted arbitrary absolute paths for remoteWorkspaceDir and remoteAgentWorkspaceDir without validation, allowing any caller who could influence those config values to trigger deletion and overwrite of any remote directory the process had access to. For AI teams running openclaw in automated agent pipelines or shared development environments, this is a destructive write primitive — an attacker who controls config delivery (e.g., via a malicious skill, compromised config store, or MITM of config sync) could wipe production agent workspaces or replace them with attacker-controlled content, potentially enabling follow-on code execution. There is no public exploit and it is not in CISA KEV, but the package has 37 prior CVEs and a history of supply-chain abuse in its skills ecosystem. Upgrade to openclaw >= 2026.4.2 immediately; audit any pipeline that passes remote workspace paths from untrusted sources.

Sources: GitHub Advisory ATLAS CISA KEV

What is the risk?

Medium severity with above-average contextual risk for AI environments. The CWE-22 path traversal is a well-understood vulnerability class, but the destructive nature (delete + overwrite) elevates impact beyond typical read-only traversal bugs. Exploitability requires ability to influence OpenShell config values — non-trivial but achievable via malicious skills, misconfigured config management, or insider threat. No EPSS data or public PoC exists. The 37 prior CVEs in the same package signal persistent security debt. Highest risk in multi-tenant or CI/CD contexts where openclaw agents run with broad filesystem access.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw npm <= 2026.4.1 2026.4.2
4 dependents 41% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

What should I do?

7 steps
  1. Patch immediately: upgrade openclaw to >= 2026.4.2 which constrains mirror sync roots to allowed paths.

  2. Until patched, disable or firewall the OpenShell mirror-sync backend if not actively needed.

  3. Audit current OpenShell configurations for unexpected absolute paths in remoteWorkspaceDir or remoteAgentWorkspaceDir values.

  4. Enforce least-privilege: run openclaw processes with a dedicated service account scoped to only the directories they legitimately need.

  5. Review audit logs for mirror-sync operations targeting paths outside expected workspace roots.

  6. In CI/CD pipelines, validate all config values sourced from external inputs before passing to openclaw.

  7. Given the 37 CVEs in this package, evaluate whether openclaw is a long-term acceptable dependency or whether migration is warranted.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk Management System
ISO 42001
A.9.3 - Security of AI system inputs
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain the value of deployed AI are evaluated and applied
OWASP LLM Top 10
LLM08:2025 - Excessive Agency

Frequently Asked Questions

What is GHSA-m34q-h93w-vg5x?

openclaw's OpenShell mirror-sync backend accepted arbitrary absolute paths for remoteWorkspaceDir and remoteAgentWorkspaceDir without validation, allowing any caller who could influence those config values to trigger deletion and overwrite of any remote directory the process had access to. For AI teams running openclaw in automated agent pipelines or shared development environments, this is a destructive write primitive — an attacker who controls config delivery (e.g., via a malicious skill, compromised config store, or MITM of config sync) could wipe production agent workspaces or replace them with attacker-controlled content, potentially enabling follow-on code execution. There is no public exploit and it is not in CISA KEV, but the package has 37 prior CVEs and a history of supply-chain abuse in its skills ecosystem. Upgrade to openclaw >= 2026.4.2 immediately; audit any pipeline that passes remote workspace paths from untrusted sources.

Is GHSA-m34q-h93w-vg5x actively exploited?

No confirmed active exploitation of GHSA-m34q-h93w-vg5x has been reported, but organizations should still patch proactively.

How to fix GHSA-m34q-h93w-vg5x?

1. Patch immediately: upgrade openclaw to >= 2026.4.2 which constrains mirror sync roots to allowed paths. 2. Until patched, disable or firewall the OpenShell mirror-sync backend if not actively needed. 3. Audit current OpenShell configurations for unexpected absolute paths in remoteWorkspaceDir or remoteAgentWorkspaceDir values. 4. Enforce least-privilege: run openclaw processes with a dedicated service account scoped to only the directories they legitimately need. 5. Review audit logs for mirror-sync operations targeting paths outside expected workspace roots. 6. In CI/CD pipelines, validate all config values sourced from external inputs before passing to openclaw. 7. Given the 37 CVEs in this package, evaluate whether openclaw is a long-term acceptable dependency or whether migration is warranted.

What systems are affected by GHSA-m34q-h93w-vg5x?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI development pipelines, model artifact storage, CI/CD for AI systems, multi-tenant AI platforms.

What is the CVSS score for GHSA-m34q-h93w-vg5x?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksAI development pipelinesmodel artifact storageCI/CD for AI systemsmulti-tenant AI platforms

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool
AML.T0049 Exploit Public-Facing Application
AML.T0081 Modify AI Agent Configuration
AML.T0101 Data Destruction via AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: A.9.3
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM08:2025

What are the technical details?

Original Advisory

## Summary Before OpenClaw 2026.4.2, the OpenShell mirror backend accepted arbitrary absolute `remoteWorkspaceDir` and `remoteAgentWorkspaceDir` values. In mirror mode, those paths were then used as the target of remote cleanup and overwrite operations. ## Impact If an attacker could influence those OpenShell config values, mirror sync could delete the contents of an unintended remote directory and replace them with uploaded workspace data. This was a destructive remote-path bug in the mirror-sync path. ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `<= 2026.4.1` - Patched versions: `>= 2026.4.2` - Latest published npm version: `2026.4.1` ## Fix Commit(s) - `b21c9840c2e38f4bb338d031511b479d5f07ca25` — constrain OpenShell mirror sync roots ## Release Process Note The fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live. Thanks @jufeng123768 for reporting.

Exploitation Scenario

An adversary with access to openclaw's skill/plugin ecosystem (as seen in AIID #1368 where ~17% of ClawHub skills were reportedly malicious) publishes a skill that modifies the OpenShell mirror configuration to set remoteWorkspaceDir to a sensitive path such as /opt/ai-platform/models or /home/service-account/.ssh. When the victim's openclaw agent runs the compromised skill and subsequently triggers a mirror-sync operation, the backend deletes the contents of that remote directory and replaces it with the attacker's uploaded workspace data. In a CI/CD context, this could overwrite model artifacts with backdoored versions, or destroy training checkpoints. In an agentic workflow with persistent memory, overwriting the agent's workspace could inject malicious instructions into future agent sessions.

Weaknesses (CWE)

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

Timeline

Published
April 7, 2026
Last Modified
April 7, 2026
First Seen
April 7, 2026

Related Vulnerabilities