# Vulnerability Summary ## Overview A security vulnerability exists in the SSH sandbox upload feature of OpenClaw, allowing an attacker to escape the sandbox environment via symbolic links (symlinks). Specifically, when uploading a directory containing symbolic links, if a symlink points to a path outside the sandbox, an attacker can leverage these links to access or modify files outside the sandbox. ## Impact Scope - **Affected Versions**: v2026.4.26-beta.1 and earlier - **Affected Component**: SSH sandbox upload feature - **Potential Risk**: An attacker may escape the sandbox via symbolic links to access or modify files outside the sandbox, leading to data leakage or system tampering. ## Remediation 1. **Reject Escaping Symlinks**: During the upload process, reject any symbolic links that point outside the sandbox. 2. **Update Code**: Modify the `uploadDirectoryToSshTarget` function in `src/agents/sandbox/ssh.ts` to ensure that escaping symbolic links are checked and rejected before upload. 3. **Add Test Cases**: Add test cases in `src/agents/sandbox/ssh.test.ts` to verify that the fixed code correctly rejects escaping symbolic links. ## POC Code The following is the fixed code snippet demonstrating how to reject escaping symbolic links: ```typescript async function assertSafeUploadSymlinks(localDir: string): Promise { const rootDir = path.resolve(localDir); await walkDirectory(rootDir); async function walkDirectory(currentDir: string): Promise { const entries = await fs.readdir(currentDir, { withFileTypes: true }); for (const entry of entries) { const entryPath = path.join(currentDir, entry.name); if (entry.isSymbolicLink()) { try { const resolvedPath = await resolvedBoundaryPath({ absolutePath: entryPath, rootPath: rootDir, boundaryLabel: "SSH sandbox upload tree", }); if (resolvedPath !== entryPath) { const relativePath = path.relative(rootDir, entryPath).split(path.sep).join("/"); throw new Error(`SSH sandbox upload refuses symlink escaping the workspace: ${relativePath}`, { cause: error }); } } catch (error) { continue; } } if (entry.isDirectory()) { await walkDirectory(entryPath); } } } } ``` This code checks all symbolic links in the uploaded directory via the `assertSafeUploadSymlinks` function to ensure they do not point to paths outside the sandbox. If an escaping symbolic link is detected, an error is thrown.