{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/symlink-traversal/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["openclaw","symlink-traversal","vulnerability","npm","rce","persistence"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u003ccode\u003eopenclaw\u003c/code\u003e npm package is vulnerable to a symlink traversal vulnerability (CVE-2026-32013) affecting versions 2026.2.22 and earlier. The vulnerability lies in the \u003ccode\u003eagents.create\u003c/code\u003e and \u003ccode\u003eagents.update\u003c/code\u003e handlers within the \u003ccode\u003esrc/gateway/server-methods/agents.ts\u003c/code\u003e file. These handlers use \u003ccode\u003efs.appendFile\u003c/code\u003e on the \u003ccode\u003eIDENTITY.md\u003c/code\u003e file without proper symlink containment checks. An attacker capable of placing a symlink within the agent workspace can redirect the \u003ccode\u003eIDENTITY.md\u003c/code\u003e path to point to arbitrary files on the system, allowing them to append attacker-controlled content to these files. This can lead to serious consequences such as remote code execution by modifying \u003ccode\u003e/etc/crontab\u003c/code\u003e, persistent code execution by modifying shell configuration files like \u003ccode\u003e~/.bashrc\u003c/code\u003e, or unauthorized SSH access by modifying \u003ccode\u003e~/.ssh/authorized_keys\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the agent workspace.\u003c/li\u003e\n\u003cli\u003eThe attacker plants a symbolic link named \u003ccode\u003eIDENTITY.md\u003c/code\u003e within the agent workspace. This symlink points to a sensitive system file, such as \u003ccode\u003e/etc/crontab\u003c/code\u003e or \u003ccode\u003e~/.ssh/authorized_keys\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eensureAgentWorkspace\u003c/code\u003e function is called, but the exclusive-create flag (\u003ccode\u003ewx\u003c/code\u003e) skips creation due to the existing symlink (EEXIST error).\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the \u003ccode\u003eagents.create\u003c/code\u003e or \u003ccode\u003eagents.update\u003c/code\u003e API endpoint, for example, by sending an HTTP POST request.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eagents.create\u003c/code\u003e or \u003ccode\u003eagents.update\u003c/code\u003e handler constructs the path to \u003ccode\u003eIDENTITY.md\u003c/code\u003e using \u003ccode\u003epath.join(workspaceDir, DEFAULT_IDENTITY_FILENAME)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003efs.appendFile\u003c/code\u003e function is called to append agent metadata (name, emoji, avatar) to the \u003ccode\u003eIDENTITY.md\u003c/code\u003e file. Because \u003ccode\u003efs.appendFile\u003c/code\u003e follows symlinks, the content is written to the attacker-controlled target file.\u003c/li\u003e\n\u003cli\u003eAttacker-controlled data is appended to the target file.\u003c/li\u003e\n\u003cli\u003eIf the target file is a cron configuration file, this leads to remote code execution. If it\u0026rsquo;s an SSH authorized_keys file, this leads to unauthorized access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to append attacker-controlled content to arbitrary files on the system. This can lead to:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eRemote Code Execution:\u003c/strong\u003e By appending malicious entries to \u003ccode\u003e/etc/crontab\u003c/code\u003e or user crontab files.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistent Code Execution:\u003c/strong\u003e By modifying shell configuration files like \u003ccode\u003e~/.bashrc\u003c/code\u003e or \u003ccode\u003e~/.profile\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthorized SSH Access:\u003c/strong\u003e By appending SSH keys to \u003ccode\u003e~/.ssh/authorized_keys\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eService Disruption:\u003c/strong\u003e By modifying application configuration files.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eThe vulnerability affects \u003ccode\u003eopenclaw\u003c/code\u003e versions 2026.2.22 and earlier, and no patches are currently available. The number of affected systems depends on the adoption rate of the \u003ccode\u003eopenclaw\u003c/code\u003e package.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor file creation events within agent workspace directories for the creation of symbolic links using file_event logs.\u003c/li\u003e\n\u003cli\u003eImplement and deploy the provided Sigma rule to detect exploitation attempts by monitoring \u003ccode\u003efs.appendFile\u003c/code\u003e calls related to IDENTITY.md without symlink resolution.\u003c/li\u003e\n\u003cli\u003eRestrict access to the agent workspace directory to prevent attackers from planting symlinks.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of \u003ccode\u003eopenclaw\u003c/code\u003e when available.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-27T14:00:00Z","date_published":"2026-03-27T14:00:00Z","id":"/briefs/2026-03-openclaw-symlink/","summary":"OpenClaw is vulnerable to symlink traversal via IDENTITY.md appendFile in agents.create/update. An attacker who can place a symlink in the agent workspace can hijack the IDENTITY.md path to append attacker-controlled content to arbitrary files on the system leading to remote code execution, persistent code execution, unauthorized SSH access, or service disruption.","title":"OpenClaw Symlink Traversal via IDENTITY.md appendFile in agents.create/update","url":"https://feed.craftedsignal.io/briefs/2026-03-openclaw-symlink/"}],"language":"en","title":"CraftedSignal Threat Feed — Symlink-Traversal","version":"https://jsonfeed.org/version/1.1"}