CVE-2026-43570

Summary

OpenClaw versions 2026.3.22 before 2026.4.5 contain a symlink traversal vulnerability in remote marketplace repository path handling that allows attackers to escape the expected repository root. Attackers can exploit this by providing crafted symlink paths to access files outside the intended repository directory.

Affected Software

VendorProductVersion RangeStatus
OpenClawOpenClaw2026.3.22 < 2026.4.5affected
OpenClawOpenClaw2026.4.5unaffected

Weaknesses

  • CWE-61: CWE-61 UNIX Symbolic Link (Symlink) Following

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References