Arbitrary File Write Flaws in OpenClaw and ONNX Enable Code Execution
Two high-severity vulnerabilities were disclosed in OpenClaw and ONNX that can let attackers write to unintended files and potentially gain code execution. In OpenClaw, GHSA-7XR2-Q9VF-X4R5 describes a symlink traversal issue involving IDENTITY.md that allows an authenticated attacker to append user-controlled content to any file writable by the Node.js process over the network with low complexity and no additional user interaction. The flaw was rated CVSS 8.8 and can affect confidentiality, integrity, and availability, with reported outcomes including privilege escalation, persistent shell access, data corruption, denial of service, and remote code execution.
A separate CVSS 8.8 issue in ONNX, tracked as CVE-2025-51480 / GHSA-Q56X-G2FJ-4RJ6, affects save_external_data and allows path traversal that can overwrite or read arbitrary files when a crafted model is processed. The reported impact includes overwriting files such as ~/.ssh/authorized_keys, ~/.bashrc, or scheduled task definitions, which can escalate to remote code execution under the privileges of the user running the ONNX workflow. In containerized environments, the flaw can also lead to full container compromise and possible lateral movement within a cluster.
Timeline
Apr 1, 2026
ONNX save_external_data path traversal vulnerability disclosed
A high-severity vulnerability, CVE-2025-51480, was disclosed in ONNX save_external_data that can lead to arbitrary file overwrite or arbitrary file read in affected model processing workflows. The reported impact includes possible unauthenticated remote code execution through overwriting files such as authorized_keys, shell startup files, or cron jobs, as well as container compromise in some deployments.
Mar 26, 2026
OpenClaw symlink traversal vulnerability disclosed
A high-severity vulnerability in OpenClaw was disclosed in which an authenticated attacker can abuse symlink traversal via IDENTITY.md to append arbitrary user-controlled strings to files writable by the Node.js process. The issue was described as enabling impacts including privilege escalation, remote code execution, persistent shell access, data corruption, and denial of service.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
ONNX Flaws Enable Server Crashes and Arbitrary File Reads via Malicious Models
Two high-severity vulnerabilities in **ONNX** affect versions prior to `1.21.0`, allowing attackers to abuse malicious model files in different ways. **CVE-2026-34445** stems from the `ExternalDataInfo` class using Python `setattr()` on model metadata without validating supplied keys, enabling crafted ONNX files to overwrite internal object properties. The flaw is remotely exploitable with low attack complexity and no required privileges or user interaction, and can lead to server crashes and broader integrity and confidentiality impacts. A second issue, **CVE-2026-27489**, allows arbitrary file reads outside the intended model or user-supplied directory through path traversal involving symlinks. The vulnerability is classified under `CWE-23` and `CWE-61`, while the object-setting flaw is mapped to `CWE-20`, `CWE-400`, and `CWE-915`. ONNX has patched both vulnerabilities in version **`1.21.0`**, and published advisory and code references alongside the disclosures.
1 months ago
Multiple OpenClaw Flaws Enable Code Execution and Consent Bypass
OpenClaw disclosed several high-severity vulnerabilities that can lead to arbitrary code execution and security control bypass across recent releases. **CVE-2026-35641** affects versions before `2026.3.24` and lets a malicious local plugin or hook package use a crafted `.npmrc` file to override the `git` executable during `npm install`, resulting in arbitrary program execution. **CVE-2026-41349** affects versions before `2026.3.28` and allows low-privileged remote attackers to bypass execution approval through `config.patch`, silently disabling agentic consent protections. Belgium's Centre for Cybersecurity warned that multiple OpenClaw flaws can lead to RCE and urged immediate patching. Additional OpenClaw issues published shortly after expand the attack surface. **CVE-2026-41336** affects versions before `2026.3.31` and allows workspace `.env` files to override `OPENCLAW_BUNDLED_HOOKS_DIR`, causing trusted bundled hooks to be replaced with attacker-controlled code from untrusted workspaces. **CVE-2026-41352**, also fixed in `2026.3.31`, allows a device-paired node to bypass the node scope gate and execute arbitrary node commands on the host without proper pairing validation. Separately, the Node.js package **simple-git** disclosed **CVE-2026-6951**, an RCE flaw in versions before `3.36.0` caused by incomplete blocking of Git configuration options, allowing attackers to abuse `--config`, enable `protocol.ext.allow=always`, and trigger execution through an `ext::` clone source when untrusted input reaches the library's options.
1 weeks ago
Command Injection Flaws Expose OpenClaw and Anthropic Claude Code to RCE
Two high-severity command injection vulnerabilities have been disclosed in developer tooling and automation software, enabling arbitrary command execution through improperly sanitized shell inputs. `CVE-2026-32917` affects OpenClaw versions earlier than `2026.3.13`, where the iMessage attachment staging workflow passes unsanitized remote attachment paths directly into an SCP remote operand. If remote attachment staging is enabled, an unauthenticated attacker can use shell metacharacters in attachment paths to execute commands on configured remote hosts; the flaw is tracked as `CWE-78` and carries a CVSS v3.1 rating of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`. A separate issue, `CVE-2026-35020`, impacts Anthropic Claude Code CLI and the Claude Agent SDK, where attacker-controlled input from the `TERMINAL` environment variable can reach `/bin/sh` with `shell=true` through the command lookup helper and deep-link terminal launcher. A local attacker can exploit the bug during normal CLI use or via the deep-link handler to run arbitrary commands with the privileges of the invoking user. Both disclosures highlight continued risk from unsanitized shell metacharacters in application workflows, with OpenClaw publishing a fixing commit and security advisory alongside third-party vulnerability reporting.
3 weeks ago