Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.5
OpenClaw tar file safety checks bypassed, local service impact
GHSA-77hf-7fqf-f227
Summary
A security issue in OpenClaw allows a malicious tar file to disrupt the service installing skills, causing it to become unavailable. This affects OpenClaw versions up to 2026.3.1. To fix, upgrade to version 2026.3.2 or later.
What to do
- Update openclaw to version 2026.3.2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.3.1 | 2026.3.2 |
Original title
OpenClaw skills-install-download: tar.bz2 extraction bypassed archive safety parity checks (local DoS)
Original description
### Summary
The `tar.bz2` installer path in `src/agents/skills-install-download.ts` used shell tar preflight/extract logic that did not share the same hardening guarantees as the centralized archive extractor.
This allowed crafted `.tar.bz2` archives to bypass special-entry blocking and extracted-size guardrails enforced on other archive paths, causing local availability impact during skill install.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published at triage time: `2026.3.1`
- Affected range: `<= 2026.3.1`
- Patched in: `2026.3.2` (released)
### Impact
Local DoS / availability impact when processing untrusted `.tar.bz2` skill archives.
### Fix Commit(s)
- `0dbb92dd2bcf9a32379d11c0f11ed016669dae3e`
### Related advisories
- Canonical overlap (closed): GHSA-3pj7-x8jr-jvj8
- Duplicate variant (closed): GHSA-rgr7-g85h-6v82
The `tar.bz2` installer path in `src/agents/skills-install-download.ts` used shell tar preflight/extract logic that did not share the same hardening guarantees as the centralized archive extractor.
This allowed crafted `.tar.bz2` archives to bypass special-entry blocking and extracted-size guardrails enforced on other archive paths, causing local availability impact during skill install.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published at triage time: `2026.3.1`
- Affected range: `<= 2026.3.1`
- Patched in: `2026.3.2` (released)
### Impact
Local DoS / availability impact when processing untrusted `.tar.bz2` skill archives.
### Fix Commit(s)
- `0dbb92dd2bcf9a32379d11c0f11ed016669dae3e`
### Related advisories
- Canonical overlap (closed): GHSA-3pj7-x8jr-jvj8
- Duplicate variant (closed): GHSA-rgr7-g85h-6v82
ghsa CVSS3.1
5.5
Vulnerability type
CWE-400
Uncontrolled Resource Consumption
CWE-409
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026