Description
OpenClaw versions prior to 2026.2.14 fail to validate TAR archive entry paths during extraction, allowing path traversal sequences to write files outside the intended directory. Attackers can craft malicious archives with traversal sequences like ../../ to write files outside extraction boundaries, potentially enabling configuration tampering and code execution.
Published: 2026-03-05
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Path traversal that can overwrite files outside the intended extraction directory, enabling configuration tampering and possible code execution
Action: Immediate Patch
AI Analysis

Impact

OpenClaw versions prior to 2026.2.14 perform TAR archive extraction without validating the entry paths. The flaw allows malicious archives to contain traversal sequences such as ../../, causing the extraction routine to write files to locations outside the intended directory. An attacker could overwrite critical configuration files or drop executable code, giving them the same privileges as the OpenClaw process.

Affected Systems

All OpenClaw releases before 2026.2.14 are affected. The vulnerability resides in the Node.js package of OpenClaw, and no other version constraints are specified beyond the version boundary. Users who have not upgraded to 2026.2.14 or later remain at risk.

Risk and Exploitability

The CVSS score of 8.3 indicates high severity, while an EPSS score of less than 1% suggests a very low but non‑zero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, implying no publicly known active exploits. The likely attack vector requires an attacker to supply a malformed TAR archive to the OpenClaw extraction routine; if such archives can be provided remotely through an API or upload endpoint, the potential impact increases. If the archive originates locally, the risk is confined to the host system. The flaw compromises file integrity and can lead to arbitrary code execution when an attacker overwrites executable or privileged files.

Generated by OpenCVE AI on April 17, 2026 at 12:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.2.14 or later, which includes validation of TAR entry paths.
  • If an upgrade is not immediately possible, configure the extraction routine to use a dedicated, permissions‑restricted directory and log any files created outside that directory for audit.
  • Enforce file‑system permissions on the OpenClaw process to block writes to system directories such as /etc, /usr/local, or other critical locations.
  • Where feasible, disable or secure any API endpoints or upload mechanisms that accept TAR archives from untrusted sources.

Generated by OpenCVE AI on April 17, 2026 at 12:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p25h-9q54-ffvw OpenClaw has Zip Slip path traversal in tar archive extraction
History

Mon, 09 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.2.14 fail to validate TAR archive entry paths during extraction, allowing path traversal sequences to write files outside the intended directory. Attackers can craft malicious archives with traversal sequences like ../../ to write files outside extraction boundaries, potentially enabling configuration tampering and code execution.
Title OpenClaw < 2026.2.14 - Zip Slip Path Traversal in TAR Archive Extraction
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-22
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-09T16:57:56.071Z

Reserved: 2026-02-27T19:17:17.842Z

Link: CVE-2026-28453

cve-icon Vulnrichment

Updated: 2026-03-09T16:57:50.540Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T22:16:17.617

Modified: 2026-03-09T18:04:19.843

Link: CVE-2026-28453

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:45:16Z

Weaknesses