CVE-2026-32060HIGH 8.8EPSS p49.8%

CVE-2026-32060CVE-2026-32060

Description

OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in apply_patch that allows attackers to write or delete files outside the configured workspace directory. When apply_patch is enabled without filesystem sandbox containment, attackers can exploit crafted paths including directory traversal sequences or absolute paths to escape workspace boundaries and modify arbitrary files.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.74% probability of exploitation · percentile 49.8% · 2026-06-19T12:03:05Z
Published2026-03-11
Last modified2026-03-16

Underlying weaknesses· 1

CWE-22

References

  1. https://github.com/openclaw/openclaw/commit/5544646a09c0121fca7d7093812dc2de8437c7f1
  2. https://github.com/openclaw/openclaw/security/advisories/GHSA-r5fq-947m-xm57
  3. https://www.vulncheck.com/advisories/openclaw-path-traversal-in-apply-patch-via-crafted-paths

1

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-32007
CVE
CVE-2026-32055
CVE
CVE-2026-32026
CVE
CVE-2026-32920
CVE
CVE-2026-28462
CVE
CVE-2026-28453
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.