CVE-2026-27485

OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, skills/skill-creator/scripts/package_skill.py (a local helper script used when authors package skills) previously followed symlinks while building .skill archives. If an author runs this script on a crafted local skill directory containing symlinks to files outside the skill root, the resulting archive can include unintended file contents. If exploited, this vulnerability can lead to potential unintentional disclosure of local files from the packaging machine into a generated .skill artifact, but requires local execution of the packaging script on attacker-controlled skill contents. This issue has been fixed in version 2026.2.18.

CVSS v3 4.4 MEDIUM

4.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 2.5

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/openclaw/openclaw/commit/c275932aa4230fb7a8212fe1b9d2a18424874b3f	Patch
https://github.com/openclaw/openclaw/commit/ee1d6427b544ccadd73e02b1630ea5c29ba9a9f0	Patch
https://github.com/openclaw/openclaw/pull/20796	Issue Tracking
https://github.com/openclaw/openclaw/releases/tag/v2026.2.19	Release Notes
https://github.com/openclaw/openclaw/security/advisories/GHSA-r6h2-5gqq-v5v6	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2026-02-21 10:16

Updated : 2026-02-23 20:43

NVD link : CVE-2026-27485

Mitre link : CVE-2026-27485

CVE.ORG link : CVE-2026-27485

JSON object : View

Products Affected

openclaw

openclaw

CWE

CWE-61

UNIX Symbolic Link (Symlink) Following

{"id": "CVE-2026-27485", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 1.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.6, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-21T10:16:12.723", "references": [{"url": "https://github.com/openclaw/openclaw/commit/c275932aa4230fb7a8212fe1b9d2a18424874b3f", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openclaw/openclaw/commit/ee1d6427b544ccadd73e02b1630ea5c29ba9a9f0", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openclaw/openclaw/pull/20796", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.19", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-r6h2-5gqq-v5v6", "tags": ["Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-61"}]}], "descriptions": [{"lang": "en", "value": "OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, skills/skill-creator/scripts/package_skill.py (a local helper script used when authors package skills) previously followed symlinks while building .skill archives. If an author runs this script on a crafted local skill directory containing symlinks to files outside the skill root, the resulting archive can include unintended file contents. If exploited, this vulnerability can lead to potential unintentional disclosure of local files from the packaging machine into a generated .skill artifact, but requires local execution of the packaging script on attacker-controlled skill contents. This issue has been fixed in version 2026.2.18."}, {"lang": "es", "value": "OpenClaw es un asistente personal de IA. En las versiones 2026.2.17 e inferiores, skills/skill-creator/scripts/package_skill.py (un script auxiliar local utilizado cuando los autores empaquetan habilidades) segu\u00eda previamente los enlaces simb\u00f3licos (symlinks) al construir archivos .skill. Si un autor ejecuta este script en un directorio de habilidad local manipulado que contiene enlaces simb\u00f3licos a archivos fuera de la ra\u00edz de la habilidad, el archivo resultante puede incluir contenido de archivo no deseado. Si se explota, esta vulnerabilidad puede llevar a una posible divulgaci\u00f3n no intencionada de archivos locales desde la m\u00e1quina de empaquetado a un artefacto .skill generado, pero requiere la ejecuci\u00f3n local del script de empaquetado sobre contenidos de habilidad controlados por el atacante. Este problema ha sido solucionado en la versi\u00f3n 2026.2.18."}], "lastModified": "2026-02-23T20:43:11.533", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "7FCEB318-0B88-45F7-8AC7-5860166A7AC5", "versionEndIncluding": "2026.2.17"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}