Cyber Resilience

CVE-2026-32024

MediumPublic PoC

Published: 19 March 2026

Published
19 March 2026
Modified
23 March 2026
KEV Added
Patch
CVSS Score v4 6.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0006 18.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32024 is a medium-severity Link Following (CWE-59) vulnerability in Openclaw Openclaw. Its CVSS base score is 6.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-32024, published on 2026-03-19, is a symlink traversal vulnerability (CWE-59) in the avatar handling component of OpenClaw versions prior to 2026.2.22. It allows attackers to read arbitrary files outside the configured workspace boundary by exploiting symlinks, with a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N), reflecting high confidentiality impact but no integrity or availability effects.

Remote attackers can exploit the vulnerability by requesting avatar resources through gateway surfaces, disclosing local files accessible to the OpenClaw process. Although the CVSS vector specifies local attack vector and low privileges required, the description confirms remote exploitation potential via these resource requests.

Mitigation is addressed in OpenClaw version 2026.2.22 and later, with fixes implemented in GitHub commits 3d0337504349954237d09e4d957df5cb844d5e77 and 6970c2c2db3ee069ef0fff0ade5cfbdd0134f9d2. Further details on the vulnerability and remediation are provided in the GitHub Security Advisory at GHSA-rx3g-mvc3-qfjf and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-symlink-traversal-in-avatar-handling.

EU & UK References

Vulnerability details

OpenClaw versions prior to 2026.2.22 contain a symlink traversal vulnerability in avatar handling that allows attackers to read arbitrary files outside the configured workspace boundary. Remote attackers can exploit this by requesting avatar resources through gateway surfaces to disclose local…

more

files accessible to the OpenClaw process.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Symlink traversal in public-facing avatar component enables remote exploitation of the app (T1190) to read arbitrary local files (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-32013Same product: Openclaw Openclaw
CVE-2026-41397Same product: Openclaw Openclaw
CVE-2026-31990Same product: Openclaw Openclaw
CVE-2026-32846Same product: Openclaw Openclaw
CVE-2026-32033Same product: Openclaw Openclaw
CVE-2026-32026Same product: Openclaw Openclaw
CVE-2026-32054Same product: Openclaw Openclaw
CVE-2026-32030Same product: Openclaw Openclaw
CVE-2026-28479Same product: Openclaw Openclaw
CVE-2026-42438Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.2.22

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the specific symlink traversal flaw in OpenClaw avatar handling by applying vendor patches from version 2026.2.22.

prevent

Validates avatar resource path inputs to block symlink traversal attempts outside the configured workspace boundary.

prevent

Limits damage from file disclosure by enforcing least privilege on the OpenClaw process, restricting access to only necessary files.

References