CVE-2026-32060

high

Description

OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in apply_patch that allows attackers to write or delete files outside the configured workspace directory. When apply_patch is enabled without filesystem sandbox containment, attackers can exploit crafted paths including directory traversal sequences or absolute paths to escape workspace boundaries and modify arbitrary files.

References

Advisories
More

https://www.vulncheck.com/advisories/openclaw-path-traversal-in-apply-patch-via-crafted-paths

https://github.com/openclaw/openclaw/security/advisories/GHSA-r5fq-947m-xm57

https://github.com/openclaw/openclaw/commit/5544646a09c0121fca7d7093812dc2de8437c7f1

Details

Source: Mitre, NVD

Published: 2026-03-11

Updated: 2026-03-16

Risk Information

CVSS v2

Base Score: 9

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 8.8

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High

CVSS v4

Base Score: 8.7

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Severity: High

EPSS

EPSS: 0.00281