GHSA-FGVX-58P6-GJWC: Critical Symlink Traversal in OpenClaw Gateway

The OpenClaw gateway is responsible for managing AI agent workspaces, including the retrieval and modification of specific configuration files like AGENTS.md, BOOTSTRAP.md, and MEMORY.md. Ideally, these operations are strictly confined to the agent's specific workspace directory to prevent unauthorized access to the underlying host system.

A critical flaw in the path resolution logic allows this containment to be breached. While the application validates that the requested filename matches an entry in a strict allowlist, it fails to verify the physical nature of the file on the disk. Specifically, it does not check if the target file is a symbolic link pointing outside the intended directory structure. This allows an attacker who can manipulate the workspace filesystem to map a valid filename to a sensitive system path, effectively tricking the gateway into performing operations on the external target.

The vulnerability stems from an insecure implementation of file path resolution (CWE-59: Improper Link Resolution Before File Access). The application relied on a superficial check of the requested filename string without canonicalizing the resulting path or inspecting filesystem metadata.

Technical Deficiencies:

1. Trust in Path Construction: The code constructed paths using simple string concatenation or path.join(workspaceDir, filename). This method resolves logical path components (like ..) but does not resolve symbolic links on the filesystem.
2. Missing Canonicalization: The application did not employ realpath to resolve the final destination of the file path before authorizing the operation.
3. Lack of Boundary Checks: There was no verification that the resolved path shared the same path prefix as the canonical workspace root.

The remediation involves a fundamental change in how file paths are resolved and validated before any I/O operation occurs. The fix introduces a strict verification routine that resolves symbolic links and enforces directory containment.

Vulnerable Logic (Conceptual):

The original implementation likely performed a direct join without validation:

// Vulnerable: Trusted that 'name' being allowlisted was sufficient
const targetPath = path.join(workspaceDir, name);
// ... subsequent fs.readFile(targetPath) or fs.writeFile(targetPath)

Patched Logic:

The fix introduces a helper resolveAgentWorkspaceFilePath that canonicalizes paths and explicitly forbids traversal. The following logic mirrors the patch strategy described in the advisory:

async function resolveAgentWorkspaceFilePath(workspaceDir, name) {
  // 1. Resolve the canonical path of the workspace root
  const workspaceReal = await fs.realpath(workspaceDir);
  
  // 2. Construct candidate path
  const candidatePath = path.join(workspaceReal, name);
  
  // 3. Check for symlink escape using lstat (to see the link itself) 
  // and realpath (to see where it goes)
  const stats = await fs.lstat(candidatePath);
  if (stats.isSymbolicLink()) {
    const targetReal = await fs.realpath(candidatePath);
    
    // 4. Guard: Ensure the resolved target is still inside the workspace
    if (!targetReal.startsWith(workspaceReal)) {
       throw new Error("Security violation: unsafe workspace file");
    }
  }
  
  return candidatePath;
}

Additionally, the patch utilizes the O_NOFOLLOW flag during file open operations where supported, providing kernel-level protection against symlink following during the open syscall.

Exploiting this vulnerability requires the attacker to have the ability to create files within the agent's workspace. This is often achievable if the attacker controls the agent's execution environment or can influence the agent to write files.

Attack Scenario:

1. Setup: The attacker creates a symbolic link in the workspace directory. The link name must match one of the allowlisted files (e.g., AGENTS.md), but the link target points to a sensitive system file.

   ln -s /etc/passwd /workspace/test-agent/AGENTS.md

2. Trigger: The attacker issues a request to the OpenClaw gateway's agents.files.get API for the file AGENTS.md.
3. Execution: The gateway validates that AGENTS.md is an allowed name. It constructs the path /workspace/test-agent/AGENTS.md and opens it for reading. The operating system follows the symlink to /etc/passwd.
4. Exfiltration: The gateway returns the contents of /etc/passwd to the attacker.

Proof of Concept (Regression Test):

The following test case demonstrates the attack vector and the expected rejection in the patched version:

it("rejects agents.files.get when allowlisted file symlink escapes workspace", async () => {
  const workspace = "/workspace/test-agent";
  const candidate = `${workspace}/AGENTS.md`;
  
  // Mock filesystem state: AGENTS.md points to /outside/secret.txt
  mocks.fsRealpath.mockImplementation(async (p: string) => {
    if (p === candidate) return "/outside/secret.txt";
    return p;
  });
 
  // The API call attempts to read the compromised file
  const { respond, promise } = makeCall("agents.files.get", {
    agentId: "main",
    name: "AGENTS.md",
  });
  await promise;
 
  // Expectation: The system detects the traversal and errors out
  expect(respond).toHaveBeenCalledWith(
    false,
    undefined,
    expect.objectContaining({ message: expect.stringContaining("unsafe workspace file") }),
  );
});

The impact of this vulnerability is critical, characterized by a complete loss of confidentiality and integrity regarding the host filesystem.

• Confidentiality (High): Attackers can read any file the gateway process has access to. This includes /etc/passwd, environment variable files containing API keys, SSH private keys (~/.ssh/id_rsa), and source code.
• Integrity (High): Using the agents.files.set method, attackers can overwrite arbitrary files. This can lead to Remote Code Execution (RCE) by overwriting authorized_keys, crontabs, or application configuration files.
• Scope: The vulnerability affects the host system directly, escaping the intended application sandbox. If the gateway runs as root or a privileged user, the entire server is compromised.

The vulnerability is patched in openclaw version 2026.2.25. The fix enforces strict path resolution logic.

Immediate Actions:

1. Upgrade: Update the openclaw dependency to ^2026.2.25 immediately.
2. Audit: Scan agent workspaces for existing symbolic links targeting suspicious paths.
3. Least Privilege: Ensure the OpenClaw process runs with the minimum necessary filesystem permissions. It should not have write access to system directories or read access to sensitive keys unrelated to its function.
4. Isolation: Run the gateway inside a container (Docker/Podman) with strictly mounted volumes. This limits the blast radius of a successful escape to the container's filesystem rather than the host.