CVE-2026-32020: OpenClaw's Control UI Static File Handler Follows Symlinks and Allows Out-of-Root File Read

March 2, 2026 (updated March 19, 2026)

The Control UI static file handler previously validated asset paths lexically and then served files with APIs that follow symbolic links. A symlink placed under the Control UI root could cause out-of-root file reads.

References

github.com/advisories/GHSA-5ghc-98wh-gwwf
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/7c500ff6236fa087ec1ec88696ca9f6881e90dc5
github.com/openclaw/openclaw/security/advisories/GHSA-5ghc-98wh-gwwf
nvd.nist.gov/vuln/detail/CVE-2026-32020

Code Behaviors & Features

Detect and mitigate CVE-2026-32020 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →