Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.3
OpenClaw fails to validate TAR archive paths, potentially allowing attackers to write files anywhere
CVE-2026-28453
GHSA-p25h-9q54-ffvw
Summary
Versions of OpenClaw prior to 2026.2.14 don't properly check where files are saved when extracting archives. This could allow attackers to create malicious archives that write files outside the expected location. To fix this, update to version 2026.2.14 or later.
What to do
- Update steipete openclaw to version 2026.2.14.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | <= 2026.2.14 | 2026.2.14 |
| openclaw | openclaw | <= 2026.2.14 | – |
Original title
OpenClaw versions prior to 2026.2.14 fail to validate TAR archive entry paths during extraction, allowing path traversal sequences to write files outside the intended directory. Attackers can craft...
Original description
OpenClaw versions prior to 2026.2.14 fail to validate TAR archive entry paths during extraction, allowing path traversal sequences to write files outside the intended directory. Attackers can craft malicious archives with traversal sequences like ../../ to write files outside extraction boundaries, potentially enabling configuration tampering and code execution.
nvd CVSS3.1
7.5
nvd CVSS4.0
8.3
Vulnerability type
CWE-22
Path Traversal
- https://github.com/openclaw/openclaw/commit/3aa94afcfd12104c683c9cad81faf434d0da...
- https://github.com/openclaw/openclaw/security/advisories/GHSA-p25h-9q54-ffvw
- https://www.vulncheck.com/advisories/openclaw-zip-slip-path-traversal-in-tar-arc...
- https://nvd.nist.gov/vuln/detail/CVE-2026-28453
- https://github.com/advisories/GHSA-p25h-9q54-ffvw
Published: 5 Mar 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026