OpenClaw Symlink Traversal via IDENTITY.md appendFile in agents.create/update

The openclaw npm package is vulnerable to a symlink traversal vulnerability (CVE-2026-32013) affecting versions 2026.2.22 and earlier. The vulnerability lies in the agents.create and agents.update handlers within the src/gateway/server-methods/agents.ts file. These handlers use fs.appendFile on the IDENTITY.md file without proper symlink containment checks. An attacker capable of placing a symlink within the agent workspace can redirect the IDENTITY.md path to point to arbitrary files on the system, allowing them to append attacker-controlled content to these files. This can lead to serious consequences such as remote code execution by modifying /etc/crontab, persistent code execution by modifying shell configuration files like ~/.bashrc, or unauthorized SSH access by modifying ~/.ssh/authorized_keys.

Attack Chain

1. The attacker gains initial access to the agent workspace.
2. The attacker plants a symbolic link named IDENTITY.md within the agent workspace. This symlink points to a sensitive system file, such as /etc/crontab or ~/.ssh/authorized_keys.
3. The ensureAgentWorkspace function is called, but the exclusive-create flag (wx) skips creation due to the existing symlink (EEXIST error).
4. The attacker triggers the agents.create or agents.update API endpoint, for example, by sending an HTTP POST request.
5. The agents.create or agents.update handler constructs the path to IDENTITY.md using path.join(workspaceDir, DEFAULT_IDENTITY_FILENAME).
6. The vulnerable fs.appendFile function is called to append agent metadata (name, emoji, avatar) to the IDENTITY.md file. Because fs.appendFile follows symlinks, the content is written to the attacker-controlled target file.
7. Attacker-controlled data is appended to the target file.
8. If the target file is a cron configuration file, this leads to remote code execution. If it’s an SSH authorized_keys file, this leads to unauthorized access.

Impact

Successful exploitation allows an attacker to append attacker-controlled content to arbitrary files on the system. This can lead to:

• Remote Code Execution: By appending malicious entries to /etc/crontab or user crontab files.
• Persistent Code Execution: By modifying shell configuration files like ~/.bashrc or ~/.profile.
• Unauthorized SSH Access: By appending SSH keys to ~/.ssh/authorized_keys.
• Service Disruption: By modifying application configuration files.

The vulnerability affects openclaw versions 2026.2.22 and earlier, and no patches are currently available. The number of affected systems depends on the adoption rate of the openclaw package.

Recommendation

• Monitor file creation events within agent workspace directories for the creation of symbolic links using file_event logs.
• Implement and deploy the provided Sigma rule to detect exploitation attempts by monitoring fs.appendFile calls related to IDENTITY.md without symlink resolution.
• Restrict access to the agent workspace directory to prevent attackers from planting symlinks.
• Upgrade to a patched version of openclaw when available.