GHSA-M8V2-6WWH-R4GC: Sandbox Escape via Symlink Manipulation in OpenClaw

OpenClaw, a platform for personal AI agents, utilizes a sandbox environment to isolate agent operations from the host system. To maintain security, the platform enforces strict validation on bind mounts, ensuring that agents can only access specific allowed directories (e.g., a designated workspace) and are blocked from sensitive system paths.

The vulnerability, identified as GHSA-M8V2-6WWH-R4GC, resides in the validateBindMounts function. It allows a malicious actor to bypass these restrictions by leveraging a flaw in how the system handles paths that do not currently exist on the disk. Specifically, the validation logic fails to canonicalize paths when the target file (the "leaf" node) is missing, even if the parent directories contain symlinks pointing to restricted locations. This results in a classic Time-of-Check Time-of-Use (TOCTOU) style logical bypass, granting the sandbox read/write access to the host filesystem.

The root cause lies in the tryRealpathAbsolute helper function within src/agents/sandbox/validate-sandbox-security.ts. This function is responsible for resolving a given path to its canonical absolute form (resolving all symlinks and .. segments) before security checks are applied against the allowedSourceRoots list.

The flaw stems from a performance optimization or logic oversight: the function checks if the full path exists using existsSync(path). If the path does not exist, the function immediately returns the raw, unvalidated input path without attempting to resolve the parent directory structure.

// VULNERABLE LOGIC
if (!existsSync(path)) return path; // Returns raw path if leaf is missing

This behavior assumes that a non-existent path is safe or cannot reference a restricted location. However, in a UNIX-like filesystem, a path like /safe/workspace/symlink_to_etc/new_file might not exist as a file, but its resolution depends on symlink_to_etc. By returning the raw path, the validator checks /safe/workspace/... (which passes the allowlist) instead of /etc/new_file (which would be blocked).

The following comparison illustrates the critical change in the patch. The fix ensures that even if the final file is missing, the validation logic traverses up the directory tree to find the nearest existing ancestor and resolves the path from there.

Vulnerable Implementation

function tryRealpathAbsolute(path: string): string {
  if (!path.startsWith("/")) return path;
  
  // CRITICAL FLAW: Short-circuit prevents resolution of parent symlinks
  if (!existsSync(path)) return path; 
  
  try {
    return normalizeHostPath(realpathSync.native(path));
  } catch {
    return path;
  }
}

Patched Implementation

The fix introduces resolvePathViaExistingAncestor, which handles missing leaf nodes correctly:

function resolvePathViaExistingAncestor(sourcePath: string): string {
  if (!sourcePath.startsWith("/")) return sourcePath;
  const normalized = normalizeHostPath(sourcePath);
  let current = normalized;
  const missingSegments: string[] = [];
 
  // Walk up until an existing directory is found
  while (current !== "/" && !existsSync(current)) {
    missingSegments.unshift(posix.basename(current));
    current = posix.dirname(current);
  }
 
  // If we hit root and nothing exists, return original
  if (!existsSync(current)) return normalized;
 
  try {
    // Resolve the deepest existing ancestor
    const resolvedAncestor = normalizeHostPath(realpathSync.native(current));
    
    // Reconstruct the full path with the resolved base + missing segments
    if (missingSegments.length === 0) return resolvedAncestor;
    return normalizeHostPath(posix.join(resolvedAncestor, ...missingSegments));
  } catch {
    return normalized;
  }
}

An attacker with control over the agent's workspace can exploit this vulnerability to write files to arbitrary locations on the host system (e.g., creating a cron job or modifying SSH keys).

Prerequisites

1. Access: The attacker must be able to execute code within the OpenClaw agent or manipulate the workspace files.
2. Mount Capability: The attacker must be able to trigger a new bind mount operation (e.g., requesting a new tool or storage allocation).

Attack Steps

1. Create Malicious Symlink: Inside the allowed workspace (e.g., /home/user/openclaw/workspace), the attacker creates a symlink pointing to a sensitive system directory.

   ln -s /etc/cron.d /home/user/openclaw/workspace/exploit_link

2. Request Bind Mount: The attacker requests OpenClaw to bind mount a non-existent file path through that symlink.
   • Source: /home/user/openclaw/workspace/exploit_link/evil_job
   • Target: /mnt/agent/job
3. Bypass Validation:
   • The validator sees the path starts with the allowed root /home/user/openclaw/workspace.
   • It calls tryRealpathAbsolute. Since evil_job does not exist yet, existsSync fails, and the function returns the raw path.
   • The raw path passes the allowedSourceRoots check.
4. Execution: The container runtime performs the mount. The OS resolves the symlink /home/user/openclaw/workspace/exploit_link to /etc/cron.d. The bind mount connects /etc/cron.d/evil_job on the host to /mnt/agent/job in the container.
5. Impact: The attacker writes a malicious cron entry to /mnt/agent/job, which appears on the host at /etc/cron.d/evil_job and is executed by the host system.

The impact of this vulnerability is Critical for deployments where the host system is sensitive.

• Host Compromise: By writing to locations like /etc/cron.d, /root/.ssh, or /etc/ld.so.conf.d, an attacker can escalate privileges from the sandboxed agent to full root access on the host machine.
• Data Exfiltration: While the primary vector described is for writing new files, if the attacker can guess filenames that do not exist yet but will be created by the system, they could potentially hijack those files. Furthermore, blind writes can disrupt system stability.
• Bypass of Security Controls: This effectively nullifies the blocked-path configuration intended to protect sensitive paths like /proc, /sys, and /var.

CVSS Vector (Estimated): CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (High/Critical). The Scope change (S:C) is key here, as the vulnerability allows the attacker to break out of the sandbox (the constrained component) and affect the host (the user component).

Users must upgrade OpenClaw immediately to a version that includes the patch from February 24, 2026.

Official Patch

• Fixed Version: OpenClaw versions released after 2026.2.23.
• Commit: b5787e4abba0dcc6baf09051099f6773c1679ec1

Temporary Workarounds

If an upgrade is not immediately possible:

1. Disable Bind Mounts: Configure agents to run without host bind mounts if possible.
2. Monitor Filesystem: Use auditd or similar tools to monitor for symlink creation within agent workspaces pointing to /, /etc, or /var.
3. Strict Root Allowlist: Ensure allowedSourceRoots are as specific as possible and do not reside on filesystems where untrusted users can create symlinks.