CVE-2026-31990 MEDIUM

CVE-2026-31990: OpenClaw < 2026.3.2 - Symlink Traversal in stageSandboxMedia Destination

Vendor Openclaw
Product OpenClaw
Weakness CWE-59
Published March 19, 2026
Last update March 19, 2026

CVSS base score

6.9/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenClaw versions prior to 2026.3.2 contain a vulnerability in the stageSandboxMedia function in which it fails to validate destination symlinks during media staging, allowing writes to follow symlinks outside the sandbox workspace. Attackers can exploit this by placing symlinks in the media/inbound directory to overwrite arbitrary files on the host system outside sandbox boundaries.

Key dates

02Disclosure timeline

March 19, 2026 CVE published
March 19, 2026 Record updated