Description
OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a bug in `download` skill installation allowed `targetDir` values from skill frontmatter to resolve outside the per-skill tools directory if not strictly validated. In the admin-only `skills.install` flow, this could write files outside the intended install sandbox. Version 2026.2.15 contains a fix for the issue.
Published: 2026-02-19
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Directory Traversal in Skill Install
Action: Apply Patch
AI Analysis

Impact

A flaw in the OpenClaw skill download operation allowed the target directory path supplied in skill frontmatter to resolve outside the dedicated per‑skill tools directory. The vulnerability, identified as CWE‑73, enabled file writes to arbitrary locations when an administrator used the skills.install flow, potentially permitting overwriting of sensitive or system files.

Affected Systems

OpenClaw by OpenClaw, all releases prior to version 2026.2.15 are affected. The issue was fixed in release 2026.2.15, so systems running that or newer versions are no longer vulnerable.

Risk and Exploitability

The CVSS base score is 6.8, indicating moderate severity, and the EPSS score is below 1 %, suggesting a low likelihood of exploitation. It is not listed in the CISA KEV catalog. An attacker with administrative rights to install skills could exploit the flaw by crafting a skill that directs file output to a location outside the intended sandbox, thereby modifying or replacing arbitrary files.

Generated by OpenCVE AI on April 17, 2026 at 17:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenClaw to version 2026.2.15 or a later release that incorporates the fix.
  • Until the update can be applied, restrict the use of the skills.install flow to trusted personnel or temporarily disable the feature in the admin configuration.
  • After applying the update, verify the per‑skill tools directory permissions and conduct a file system audit to detect any unauthorized modifications.

Generated by OpenCVE AI on April 17, 2026 at 17:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h7f7-89mm-pqh6 OpenClaw hardened the skill download target directory validation
History

Fri, 20 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:N'}

Fri, 20 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Openclaw
Openclaw openclaw
Vendors & Products Openclaw
Openclaw openclaw

Thu, 19 Feb 2026 23:45:00 +0000

Type Values Removed Values Added
Description OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a bug in `download` skill installation allowed `targetDir` values from skill frontmatter to resolve outside the per-skill tools directory if not strictly validated. In the admin-only `skills.install` flow, this could write files outside the intended install sandbox. Version 2026.2.15 contains a fix for the issue.
Title OpenClaw hardened the skill download target directory validation
Weaknesses CWE-73
References
Metrics cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-20T15:37:09.833Z

Reserved: 2026-02-17T03:08:23.489Z

Link: CVE-2026-27008

cve-icon Vulnrichment

Updated: 2026-02-20T15:26:50.396Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T00:16:17.460

Modified: 2026-02-20T18:01:28.333

Link: CVE-2026-27008

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:45:24Z

Weaknesses