OpenClaw before 2026.3.31 contains a symlink following vulnerability in its SSH sandbox tar upload feature. The flaw permits a remote attacker to craft a tar archive that includes a symlink pointing outside the intended extraction directory, enabling the attacker to overwrite arbitrary files on the host after the upload is processed. This alters the confidentiality, integrity, and availability of the system by allowing the attacker to place or modify files with system‑level privileges, potentially facilitating further compromise. The weakness is identified as CWE‑59, which tracks input handling errors that lead to unintended pointer or path resolution.

Vendors: OpenClaw (OpenClaw) is impacted. All releases prior to version 2026.3.31 are vulnerable. The affected product is listed under the CPE cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*. Administrators should verify that their deployment is running a version older than 2026.3.31 to determine if remediation is required.

The CVSS score of 7.2 indicates a high severity risk, and the vulnerability is exploitable from a remote attacker without authentication, as it relies solely on the ability to upload a tar file via the SSH sandbox. Based on the description, it is inferred that the attacker can perform this action without prior authentication, simply by uploading a malicious archive. Although EPSS data is currently unavailable, the lack of listing in CISA KEV suggests there have not yet been widespread public exploitation reports. Nevertheless, the potential for arbitrary file overwrite remains substantial, and an attacker who can upload a malicious archive could compromise the system quickly. The attack vector is inferred to be remote over the web interface or SSH session that accepts tar uploads.