Description
OpenClaw versions prior to 2026.3.2 contain an archive extraction vulnerability in the tar.bz2 installer path that bypasses safety checks enforced on other archive formats. Attackers can craft malicious tar.bz2 skill archives to bypass special-entry blocking and extracted-size guardrails, causing local denial of service during skill installation.
Published: 2026-03-21
Score: 6.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service during skill installation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an archive extraction flaw in the tar.bz2 installer path of OpenClaw prior to version 2026.3.2. It bypasses safety checks that other archive formats enforce, allowing attackers to craft malicious tar.bz2 skill archives that remove special‑entry blocking and extraction‑size guardrails. The result is a local denial of service when the skill is installed, compromising the availability of the system or application that hosts OpenClaw.

Affected Systems

All installations of OpenClaw running versions earlier than 2026.3.2 are affected. The flaw exists in the OpenClaw installer component that handles skill packages delivered as tar.bz2 archives.

Risk and Exploitability

The CVSS score of 6.7 indicates a moderate severity. Exploitability is limited to environments where an attacker can initiate a skill installation, such as a local attacker or an attacker who gains upload rights to the skill store. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is local skill installation with a crafted archive, leading to a denial of service.

Generated by OpenCVE AI on March 21, 2026 at 06:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply OpenClaw version 2026.3.2 or newer to fix the archive extraction bug.
  • If an upgrade is not immediately possible, restrict skill installation to trusted sources and disable or monitor automatic installation of tar.bz2 bundles.

Generated by OpenCVE AI on March 21, 2026 at 06:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description OpenClaw versions prior to 2026.3.2 contain an archive extraction vulnerability in the tar.bz2 installer path that bypasses safety checks enforced on other archive formats. Attackers can craft malicious tar.bz2 skill archives to bypass special-entry blocking and extracted-size guardrails, causing local denial of service during skill installation.
Title OpenClaw < 2026.3.2 - Tar Archive Safety Bypass in Skills Installation
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-409
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-23T16:56:13.757Z

Reserved: 2026-03-10T19:48:44.964Z

Link: CVE-2026-32044

cve-icon Vulnrichment

Updated: 2026-03-23T16:46:53.663Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-21T01:17:06.950

Modified: 2026-03-23T17:10:11.440

Link: CVE-2026-32044

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:33:29Z

Weaknesses