GHSA-7XR2-Q9VF-X4R5: Symlink Traversal via IDENTITY.md in OpenClaw

The openclaw npm package provides a platform for managing and interacting with autonomous agents. The system utilizes file-based workspaces to store agent data, configuration files, and identity definitions. These workspaces are manipulated via a set of API endpoints exposed by the package, specifically the generic file access methods and the agent lifecycle methods. The vulnerability, identified as GHSA-7XR2-Q9VF-X4R5, exists within the agent lifecycle methods agents.create and agents.update.

This flaw represents an incomplete fix for a prior vulnerability tracked as CVE-2026-32013. The original vulnerability was a symlink traversal flaw in the agents.files.get and agents.files.set gateway methods. While the patch for CVE-2026-32013 implemented path resolution and containment checks for generic file operations, it failed to apply these protections to the hardcoded identity management logic. The failure to validate the specific target file allows an attacker to bypass the workspace sandbox.

The vulnerability is classified as CWE-61: UNIX Symbolic Link Following. By exploiting this flaw, an authenticated attacker can append arbitrary data to restricted files on the underlying host operating system. The successful exploitation of this vulnerability yields a high severity impact, directly compromising system integrity and potentially leading to remote code execution.

The root cause of GHSA-7XR2-Q9VF-X4R5 lies in the disparate handling of file operations within the OpenClaw API. The developers introduced a secure middleware, tools.fs.workspaceOnly, to enforce path containment for the generic agents.files API endpoints. This middleware explicitly resolves symbolic links and verifies that the resulting path resides within the authorized workspace directory. However, the agents.create and agents.update methods do not utilize this containment middleware.

Instead of relying on the hardened file operation wrapper, the AgentManager class implements a direct, hardcoded file system interaction to manage the agent's identity file. The function constructs a target path by concatenating the agent's workspace path with the string IDENTITY.md using the Node.js path.join utility. The application then immediately executes an fs.promises.appendFile operation on the constructed path without any intermediate validation or sanitization.

The Node.js fs module, including appendFile, natively follows symbolic links during path resolution by default. Because the application logic does not verify the file type or the resolved absolute path of IDENTITY.md prior to the append operation, the underlying operating system transparently redirects the write operation to the target of the symlink. The system trusts the path blindly, resulting in an arbitrary file append vulnerability.

An examination of the vulnerable code within src/agents/manager.ts reveals the precise mechanism of the failure. The updateAgentIdentity function constructs the path and executes the write operation directly. The logic relies on the assumption that IDENTITY.md is a standard file created and managed exclusively by the application.

// Vulnerable Code Snippet (Pre-2026.2.26)
async function updateAgentIdentity(agentId, identityData) {
    const workspacePath = getWorkspacePath(agentId);
    const identityFilePath = path.join(workspacePath, 'IDENTITY.md');
    
    // The application does not check if identityFilePath is a symlink.
    // It blindly appends data, trusting the workspace structure.
    const identityString = generateIdentityMarkdown(identityData);
    await fs.promises.appendFile(identityFilePath, identityString);
}

The patch introduced in version 2026.2.26 addresses this oversight by implementing an explicit realpath resolution step before executing the file operation. The application now uses fs.promises.realpath to determine the actual destination path on the disk, dereferencing any intermediate symbolic links. The resolved path is then validated against the expected workspace directory.

// Patched Code Snippet (2026.2.26)
async function updateAgentIdentity(agentId, identityData) {
    const workspacePath = getWorkspacePath(agentId);
    const identityFilePath = path.join(workspacePath, 'IDENTITY.md');
    
    // Retrieve the true, absolute path of the target file.
    const realPath = await fs.promises.realpath(identityFilePath).catch(() => identityFilePath);
    
    // Verify that the resolved path is confined to the workspace.
    if (!realPath.startsWith(workspacePath)) {
        throw new SecurityError("Symlink escape detected in agent identity file.");
    }
    
    const identityString = generateIdentityMarkdown(identityData);
    await fs.promises.appendFile(realPath, identityString);
}

This fix is complete for this specific code path, as it correctly aligns the authorization check with the actual file modification target. The use of realpath neutralizes the path traversal attack vector by exposing the true destination of the symlink. However, this fix highlights a broader architectural weakness regarding the reliance on ad-hoc path validation rather than a centralized file access abstraction layer.

Exploiting GHSA-7XR2-Q9VF-X4R5 requires the attacker to possess authenticated access to the OpenClaw platform with permissions to manage an agent. The attacker must also possess the ability to create symbolic links within the agent's designated workspace directory. This capability is typically available through the previously patched generic file API or via other intended application functionalities that allow file uploads or archive extraction.

The first phase of the attack involves the establishment of the malicious symbolic link. The attacker identifies the absolute or relative path of their agent's workspace directory. Using an available file manipulation interface, the attacker creates a symbolic link named IDENTITY.md that points to a sensitive file on the host operating system, such as /etc/passwd.

Once the symbolic link is in place, the attacker initiates the second phase by invoking the agents.update API endpoint. The attacker supplies a crafted JSON payload containing the data they wish to append to the target file. The payload utilizes the identity.name field or other user-controlled attributes that the application serializes into the markdown identity string.

POST /api/agents/update
{
  "agentId": "agent-uuid",
  "identity": {
    "name": "\nmalicious_user:x:0:0::/root:/bin/bash\n"
  }
}

Upon receiving the request, the server executes the updateAgentIdentity function. The Node.js appendFile operation follows the IDENTITY.md symbolic link and appends the serialized identity string, which includes the attacker's crafted payload, directly to the host system's /etc/passwd file.

The successful exploitation of this vulnerability yields a high-severity impact on the host system. The attacker gains the capability to append arbitrary, user-controlled strings to any file that the Node.js process has permission to write. This violates the confidentiality, integrity, and availability of the host operating system and any co-hosted applications.

The primary risk associated with arbitrary file appends is privilege escalation and remote code execution. By appending a new root-level user entry to /etc/passwd or injecting an SSH public key into an administrator's ~/.ssh/authorized_keys file, the attacker can secure persistent, high-privileged shell access to the host machine. Furthermore, the attacker can append malicious commands to shell initialization scripts such as .bashrc or .profile.

Data corruption is an additional consequence of this vulnerability. The injected payload is wrapped within the application's markdown formatting, which may corrupt strictly parsed configuration files. If an attacker appends data to critical system files or application configuration databases, the resulting parsing errors can cause denial of service conditions, forcing the application or the host operating system offline.

The CVSS v3.1 vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, resulting in a base score of 8.8. The attack vector is over the network, and the complexity is low because it relies on standard API interactions. Authentication is required, but no additional user interaction is necessary to execute the exploit payload.

The vulnerability is fully remediated in OpenClaw version 2026.2.26. Organizations utilizing the OpenClaw npm package must upgrade their dependency immediately to prevent exploitation. The update patches the vulnerable updateAgentIdentity function by introducing fs.promises.realpath validation, ensuring that file operations cannot escape the intended workspace boundaries via symbolic links.

In environments where an immediate dependency upgrade is not feasible, administrators must apply defense-in-depth mitigations. The most critical mitigation is executing the Node.js application process with the minimum necessary file system privileges. The OpenClaw process must not run as the root user. Access to sensitive system directories and files must be explicitly denied at the operating system level using standard Linux permissions or Mandatory Access Control systems like SELinux or AppArmor.

Additionally, security teams should implement continuous monitoring and auditing of the agent workspace directories. Administrators can deploy file integrity monitoring tools to detect the creation of unexpected symbolic links or named pipes within the workspace hierarchies. Automated scripts can periodically scan user directories and alert on any symlink that points outside the designated environment.