GHSA-cfvj-7rx7-fc7c: OpenClaw: stageSandboxMedia destination symlink traversal can overwrite files outside sandbox workspace

March 3, 2026

stageSandboxMedia allowed destination symlink traversal during media staging, which could overwrite files outside the sandbox workspace root.

References

github.com/advisories/GHSA-cfvj-7rx7-fc7c
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/17ede52a4be3034f6ec4b883ac6b81ad0101558a
github.com/openclaw/openclaw/security/advisories/GHSA-cfvj-7rx7-fc7c

Code Behaviors & Features

Detect and mitigate GHSA-cfvj-7rx7-fc7c with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →