CVE-2026-32007 in OpenClaw
Summary
by MITRE • 03/20/2026
OpenClaw versions prior to 2026.2.23 contain a path traversal vulnerability in the experimental apply_patch tool that allows attackers with sandbox access to modify files outside the workspace directory by exploiting inconsistent enforcement of workspace-only checks on mounted paths. Attackers can use apply_patch operations on writable mounts outside the workspace root to access and modify arbitrary files on the system.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/25/2026
The vulnerability identified as CVE-2026-32007 affects OpenClaw versions before 2026.2.23 and represents a critical path traversal flaw within the experimental apply_patch tool. This security weakness stems from inadequate validation of file paths when processing patch operations on mounted filesystem locations. The vulnerability specifically targets the inconsistent enforcement of workspace-only access controls, creating a scenario where authorized users operating within a sandboxed environment can bypass intended directory restrictions. The flaw manifests when the apply_patch utility processes files located on writable mount points that extend beyond the designated workspace boundaries, allowing malicious actors to manipulate system files outside their intended operational scope.
The technical implementation of this vulnerability exploits the fundamental principle of directory traversal by leveraging the inconsistent behavior of path validation mechanisms. When the apply_patch tool encounters mounted filesystem paths, it fails to properly enforce the workspace confinement policies that should restrict file operations to the designated root directory. This inconsistency creates a pathway for attackers to craft patch operations that target files residing outside the legitimate workspace, effectively extending their access privileges beyond the intended sandbox boundaries. The vulnerability operates at the intersection of file system access control and software input validation, where the tool's path resolution logic does not adequately distinguish between legitimate workspace paths and unauthorized external mounts.
From an operational perspective, this vulnerability presents a significant risk to system integrity and data confidentiality. Attackers with sandbox access can exploit this flaw to modify critical system files, potentially leading to privilege escalation, data exfiltration, or system compromise. The impact extends beyond simple file manipulation as it undermines the fundamental security model of the sandboxed environment. Organizations relying on OpenClaw for automated patch management or deployment operations face substantial risk, as the vulnerability allows unauthorized access to arbitrary files on the system through seemingly legitimate patch application processes. The experimental nature of the apply_patch tool means that many security monitoring systems may not adequately detect or alert on this specific attack pattern, making it particularly dangerous.
The vulnerability aligns with CWE-22 Path Traversal and follows patterns consistent with ATT&CK technique T1059 Command and Scripting Interpreter, where adversaries leverage legitimate system tools to execute unauthorized operations. The weakness represents a failure in input validation and access control enforcement that can be exploited through carefully crafted patch operations. Organizations should implement immediate mitigations including updating to OpenClaw 2026.2.23 or later, disabling the experimental apply_patch tool until proper security controls are implemented, and conducting thorough audits of all mounted filesystems to identify potential attack vectors. Additionally, security teams should enhance monitoring for unusual patch application patterns and implement stricter path validation controls within the tool's configuration to prevent unauthorized access to system resources outside the designated workspace boundaries.