Three New OpenClaw CVEs Target File Access and WebSocket Authentication
What Happened
Two high-severity vulnerabilities were publicly disclosed on March 20, 2026, affecting OpenClaw versions prior to 2026.2.25. CVE-2026-32013 is a symlink traversal flaw in the agents.files.get and agents.files.set methods that allows attackers to read and write files outside the designated agent workspace. By exploiting symlinked allowlisted files, an attacker can access arbitrary host files within gateway process permissions, potentially enabling code execution through file overwrite attacks.
The companion vulnerability, CVE-2026-32025, exposes an authentication hardening gap in browser-origin WebSocket clients. Attackers can bypass origin checks and auth throttling on loopback deployments, enabling password brute-force attacks against the gateway to establish authenticated operator sessions and invoke control-plane methods. A third related CVE, CVE-2026-32015, targets path hijacking in tools.exec.safeBins (CVSS 7.0), allowing attackers to execute trojan binaries with allowlisted names by controlling process PATH resolution.
Why It Matters
These three vulnerabilities compound the already-serious security picture for OpenClaw deployments. The symlink traversal issue is particularly concerning for organizations running OpenClaw agents that process untrusted inputs or user-controlled file paths — a common enterprise pattern. The WebSocket authentication bypass directly undermines the gateway's security perimeter, which is the primary trust boundary for most OpenClaw installations. With over 135,000 OpenClaw instances reportedly exposed to the internet as of mid-March, the attack surface is enormous.
What's Next
All three vulnerabilities are patched in OpenClaw version 2026.2.25 or later. Organizations running earlier versions should upgrade immediately. Security teams should also audit gateway process permissions, restrict filesystem access to minimum necessary scope, and implement network-level controls to limit WebSocket connection sources beyond loopback hardening.