![[openclaw] OpenClaw gateway agents.files symlink escape allowed out-of-workspace file read/write](/assets/images/github_com_1772501096534.png)
Security Advisories์ถ์ฒ: GitHub Security Advisories์กฐํ์ 2
[openclaw] OpenClaw gateway agents.files symlink escape allowed out-of-workspace file read/write
By GitHub2026๋
3์ 3์ผ
**[openclaw] OpenClaw gateway agents.files symlink escape allowed out-of-workspace file read/write**
Impact The gateway agents.files.get and agents.files.set methods allowed symlink traversal for allowlisted workspace files. A symlinked allowlisted file (for example AGENTS.md) could resolve outside the agent workspace and be read/written by the gateway process. This could enable arbitrary host file read/write within the gateway process permissions, and chained impact up to code execution depending on which files are overwritten. Affected Packages / Versions Package: openclaw (npm) Affected versions: <= 2026.2.24 Latest published vulnerable version at patch time: 2026.2.24 Patched versions: >= 2026.2.25 Remediation agents.files now resolves real workspace paths, enforces containment for resolved targets, rejects out-of-workspace symlink targets, and keeps in-workspace symlink targets supported. The patch also adds gateway regression tests for blocked escapes and valid in-workspace symlink behavior...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.
Impact The gateway agents.files.get and agents.files.set methods allowed symlink traversal for allowlisted workspace files. A symlinked allowlisted file (for example AGENTS.md) could resolve outside the agent workspace and be read/written by the gateway process. This could enable arbitrary host file read/write within the gateway process permissions, and chained impact up to code execution depending on which files are overwritten. Affected Packages / Versions Package: openclaw (npm) Affected versions: <= 2026.2.24 Latest published vulnerable version at patch time: 2026.2.24 Patched versions: >= 2026.2.25 Remediation agents.files now resolves real workspace paths, enforces containment for resolved targets, rejects out-of-workspace symlink targets, and keeps in-workspace symlink targets supported. The patch also adds gateway regression tests for blocked escapes and valid in-workspace symlink behavior...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.