CVE-2026-32054

MediumPublic PoC

Published: 21 March 2026

Published

21 March 2026

Modified

24 March 2026

KEV Added

—

Patch

—

CVSS Score 6.5 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H

EPSS Score 0.0001 2.8th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32054 is a medium-severity Link Following (CWE-59) vulnerability in Openclaw Openclaw. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked at the 2.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data Destruction (T1485) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly addresses the vulnerability by requiring timely flaw remediation through patching to OpenClaw 2026.2.25 or later where symlink validation is fixed.

SI-10 Information Input Validation good match

prevent

Mandates validation of file paths used in browser trace and download output handling to block symlink traversal and prevent escape from the temp directory.

SI-7 Software, Firmware, and Information Integrity partial match

detect

Provides integrity verification mechanisms to detect unauthorized file overwrites caused by symlink redirection outside the intended temp directory.

MITRE ATT&CK Enterprise TechniquesAI

T1485 Data Destruction Impact

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.

attack.mitre.org →

T1554 Compromise Host Software Binary Persistence

Adversaries may modify host software binaries to establish persistent access to systems.

attack.mitre.org →

T1562.001 Disable or Modify Tools Stealth

Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities.

attack.mitre.org →

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

Symlink traversal enabling arbitrary file overwrites directly facilitates stored data manipulation (T1565.001), data destruction (T1485), host binary compromise (T1554), and defense impairment via tool/config modification (T1562.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in browser trace and download output path handling that allows local attackers to escape the managed temp root directory. An attacker with local access can create symlinks to route file…

writes outside the intended temp directory, enabling arbitrary file overwrite on the affected system.

Deeper analysisAI

CVE-2026-32054, published on 2026-03-21, is a symlink traversal vulnerability (CWE-59) in OpenClaw versions prior to 2026.2.25. The issue resides in the browser trace and download output path handling, which fails to properly validate symlinks. This allows local attackers to escape the managed temp root directory by creating symlinks that redirect file writes to arbitrary locations on the affected system.

An attacker requires local access and low privileges (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U) to exploit the vulnerability. By crafting symlinks in the temp directory, they can route trace or download output writes outside the intended scope, enabling arbitrary file overwrites. This yields a CVSS base score of 6.5, with low confidentiality impact but high integrity and availability impacts (C:L/I:H/A:H).

Mitigation is addressed by upgrading to OpenClaw 2026.2.25 or later, where the vulnerability is fixed via commit https://github.com/openclaw/openclaw/commit/496a76c03ba85e15ea715e5a583e498ae04d36e3. Further details are available in the GitHub security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-36h3-7c54-j27r and the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-symlink-traversal-in-browser-trace-download-path-handling.

Details

CWE(s): CWE-59

Affected Products

openclaw

≤ 2026.2.25

CVEs Like This One

CVE-2026-31990Same product: Openclaw Openclaw

CVE-2026-32013Same product: Openclaw Openclaw

CVE-2026-32024Same product: Openclaw Openclaw

CVE-2026-41364Same product: Openclaw Openclaw

CVE-2026-41397Same product: Openclaw Openclaw

CVE-2026-41383Same product: Openclaw Openclaw

CVE-2026-41380Same product: Openclaw Openclaw

CVE-2026-35653Same product: Openclaw Openclaw

CVE-2026-28457Same product: Openclaw Openclaw

CVE-2026-28459Same product: Openclaw Openclaw

References

https://github.com/openclaw/openclaw/commit/496a76c03ba85e15ea715e5a583e498ae04d36e3
Patch · disclosure@vulncheck.com
https://github.com/openclaw/openclaw/security/advisories/GHSA-36h3-7c54-j27r
Vendor Advisory · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/openclaw-symlink-traversal-in-browser-trace-download-path-handling
Third Party Advisory · disclosure@vulncheck.com