Description
OpenClaw versions prior to 2026.3.2 contain a race condition vulnerability in ZIP extraction that allows local attackers to write files outside the intended destination directory. Attackers can exploit a time-of-check-time-of-use race between path validation and file write operations by rebinding parent directory symlinks to redirect writes outside the extraction root.
Published: 2026-03-19
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Write
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is a race condition in the ZIP extraction routine of OpenClaw before 2026.3.2 that enables a local attacker to write files outside the intended extraction directory. By manipulating parent directory symlinks during the time‑of‑check time‑of‑use race, the attacker can redirect file writes to arbitrary locations, resulting in an arbitrary file write weakness (CWE‑367). The impact is that the attacker could overwrite critical system files or create malicious executables, potentially leading to further compromise.

Affected Systems

Affected vendors and products: OpenClaw by OpenClaw. Vulnerable versions are all OpenClaw releases earlier than 2026.3.2. No specific version numbers beyond this cutoff are listed.

Risk and Exploitability

The CVSS base score is 5.8, indicating moderate severity. EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. The exploitability relies on a local user context, as the race condition is triggered by locally executing the ZIP extraction process. There are no known publicly available exploit code at this time; however, local attackers with sufficient privileges could craft a malicious ZIP file to trigger the write beyond the extraction root.

Generated by OpenCVE AI on March 19, 2026 at 02:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.3.2 or later.
  • Ensure the application only extracts ZIP files from trusted sources and that the user running the extraction has minimal privileges.
  • Monitor OpenClaw release notes and security advisories for updates.
  • If immediate upgrade is impossible, restrict local user permissions and monitor the system for unauthorized file writes.

Generated by OpenCVE AI on March 19, 2026 at 02:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 01:30:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.3.2 contain a race condition vulnerability in ZIP extraction that allows local attackers to write files outside the intended destination directory. Attackers can exploit a time-of-check-time-of-use race between path validation and file write operations by rebinding parent directory symlinks to redirect writes outside the extraction root.
Title OpenClaw < 2026.3.2 - Arbitrary File Write via ZIP Extraction Parent Symlink Race Condition
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-367
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L'}

cvssV4_0

{'score': 5.8, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-19T13:45:23.135Z

Reserved: 2026-02-23T12:14:45.493Z

Link: CVE-2026-27670

cve-icon Vulnrichment

Updated: 2026-03-19T13:45:19.052Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T02:16:02.173

Modified: 2026-03-19T19:18:45.530

Link: CVE-2026-27670

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:51:35Z

Weaknesses