Cyber Resilience

CVE-2026-32054

MediumPublic PoC

Published: 21 March 2026

Published
21 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v4 5.9 CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0013 2.6th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-32054 is a medium-severity Link Following (CWE-59) vulnerability in Openclaw Openclaw. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-32054, published on 2026-03-21, is a symlink traversal vulnerability (CWE-59) in OpenClaw versions prior to 2026.2.25. The issue resides in the browser trace and download output path handling, which fails to properly validate symlinks. This allows local attackers to escape the managed temp root directory by creating symlinks that redirect file writes to arbitrary locations on the affected system.

An attacker requires local access and low privileges (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U) to exploit the vulnerability. By crafting symlinks in the temp directory, they can route trace or download output writes outside the intended scope, enabling arbitrary file overwrites. This yields a CVSS base score of 6.5, with low confidentiality impact but high integrity and availability impacts (C:L/I:H/A:H).

Mitigation is addressed by upgrading to OpenClaw 2026.2.25 or later, where the vulnerability is fixed via commit https://github.com/openclaw/openclaw/commit/496a76c03ba85e15ea715e5a583e498ae04d36e3. Further details are available in the GitHub security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-36h3-7c54-j27r and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-symlink-traversal-in-browser-trace-download-path-handling.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in browser trace and download output path handling that allows local attackers to escape the managed temp root directory. An attacker with local access can create symlinks to route file…

more

writes outside the intended temp directory, enabling arbitrary file overwrite on the affected system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
T1554 Compromise Host Software Binary Persistence
Adversaries may modify host software binaries to establish persistent access to systems.
T1685 Disable or Modify Tools Defense Impairment
Adversaries may disable, degrade, or tamper with security tools or applications (e.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Symlink traversal enabling arbitrary file overwrites directly facilitates stored data manipulation (T1565.001), data destruction (T1485), host binary compromise (T1554), and defense impairment via tool/config modification (T1562.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-31990Same product: Openclaw Openclaw
CVE-2026-41397Same product: Openclaw Openclaw
CVE-2026-32024Same product: Openclaw Openclaw
CVE-2026-41364Same product: Openclaw Openclaw
CVE-2026-32013Same product: Openclaw Openclaw
CVE-2026-41383Same product: Openclaw Openclaw
CVE-2026-41380Same product: Openclaw Openclaw
CVE-2026-35653Same product: Openclaw Openclaw
CVE-2026-28457Same product: Openclaw Openclaw
CVE-2026-28459Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.2.25

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the vulnerability by requiring timely flaw remediation through patching to OpenClaw 2026.2.25 or later where symlink validation is fixed.

prevent

Mandates validation of file paths used in browser trace and download output handling to block symlink traversal and prevent escape from the temp directory.

detect

Provides integrity verification mechanisms to detect unauthorized file overwrites caused by symlink redirection outside the intended temp directory.

References