OpenClaw versions before 2026.6.9 contain a symlink following vulnerability in the mirror sync feature that allows lower-trust callers to perform actions requiring stronger authorization. Attackers can exploit remote symlink parents to bypass policy checks and authorization boundaries when the feature is enabled and reachable.
History

Mon, 13 Jul 2026 21:45:00 +0000

Type Values Removed Values Added
Description OpenClaw versions before 2026.6.9 contain a symlink following vulnerability in the mirror sync feature that allows lower-trust callers to perform actions requiring stronger authorization. Attackers can exploit remote symlink parents to bypass policy checks and authorization boundaries when the feature is enabled and reachable.
Title OpenClaw < 2026.6.9 Symlink Following via Mirror Sync
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-367
CWE-59
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L'}

cvssV4_0

{'score': 7.6, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-07-13T21:30:12.700Z

Updated: 2026-07-13T21:30:12.700Z

Reserved: 2026-07-13T16:36:32.095Z

Link: CVE-2026-62189

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.