GHSA-5ghc-98wh-gwwf: OpenClaw's Control UI Static File Handler Follows Symlinks and Allows Out-of-Root File Read

March 2, 2026

The Control UI static file handler previously validated asset paths lexically and then served files with APIs that follow symbolic links. A symlink placed under the Control UI root could cause out-of-root file reads.

References

github.com/advisories/GHSA-5ghc-98wh-gwwf
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/7c500ff6236fa087ec1ec88696ca9f6881e90dc5
github.com/openclaw/openclaw/security/advisories/GHSA-5ghc-98wh-gwwf

Code Behaviors & Features

Detect and mitigate GHSA-5ghc-98wh-gwwf with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →