cvedb.io
CVE-2026-35632
HIGH · CVSS 7.1
EPSS exploitation probability: 0%
Published 2026-04-09T22:16:32.003 · Last modified 2026-06-17T10:40:54.267

Summary

OpenClaw through 2026.2.22 contains a symlink traversal vulnerability in agents.create and agents.update handlers that use fs.appendFile on IDENTITY.md without symlink containment checks. Attackers with workspace access can plant symlinks to append attacker-controlled content to arbitrary files, enabling remote code execution via crontab injection or unauthorized access via SSH key manipulation.

Affected products

openclaw — openclaw

Does this affect you?

Add your gear to cvedb and we'll alert you only when openclaw ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.