Nixpkgs security tracker

Untriaged

Permalink CVE-2026-32060

8.8 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 1 month ago

OpenClaw < 2026.2.14 - Path Traversal in apply_patch via Crafted Paths

OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in apply_patch that allows attackers to write or delete files outside the configured workspace directory. When apply_patch is enabled without filesystem sandbox containment, attackers can exploit crafted paths including directory traversal sequences or absolute paths to escape workspace boundaries and modify arbitrary files.

References

GitHub Security Advisory (GHSA-r5fq-947m-xm57) vendor-advisory
Patch Commit patch
VulnCheck Advisory: OpenClaw < 2026.2.14 - Path Traversal in apply_patch via Crafted Paths third-party-advisory

Affected products

openclaw

==0
==2026.2.14

Matching in nixpkgs

pkgs.openclaw

Self-hosted, open-source AI assistant/agent

nixos-unstable 2026.2.26
- nixpkgs-unstable 2026.2.26
- nixos-unstable-small 2026.2.26

Package maintainers

@chrisportela Chris Portela <chris@chrisportela.com>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.openclaw

Package maintainers