GHSA-9mph-4f7v-fmvh: OpenClaw has agent avatar symlink traversal in gateway session metadata

March 4, 2026

A crafted local avatar path could follow a symlink outside the agent workspace and return arbitrary file contents as a base64 data: URL in gateway responses.

References

github.com/advisories/GHSA-9mph-4f7v-fmvh
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/3d0337504349954237d09e4d957df5cb844d5e77
github.com/openclaw/openclaw/security/advisories/GHSA-9mph-4f7v-fmvh

Code Behaviors & Features

Detect and mitigate GHSA-9mph-4f7v-fmvh with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →