Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.8
OpenClaw Installation Can Write Malicious Files Outside Its Folder
CVE-2026-28486
GHSA-v892-hwpg-jwqp
Summary
OpenClaw versions 2026.1.16-2 through 2026.2.13 have a security flaw that lets hackers write malicious files anywhere on your system during installation. This can let them keep malicious code running on your system or take control of it. Update to version 2026.2.14 or later to fix this issue.
What to do
- Update steipete openclaw to version 2026.2.14.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | > 2026.1.16-2 , <= 2026.2.14 | 2026.2.14 |
| openclaw | openclaw | > 2026.1.20 , <= 2026.2.14 | – |
| openclaw | openclaw | 2026.1.16-2 | – |
Original title
OpenClaw versions 2026.1.16-2 prior to 2026.2.14 contain a path traversal vulnerability in archive extraction during installation commands that allows arbitrary file writes outside the intended dir...
Original description
OpenClaw versions 2026.1.16-2 prior to 2026.2.14 contain a path traversal vulnerability in archive extraction during installation commands that allows arbitrary file writes outside the intended directory. Attackers can craft malicious archives that, when extracted via skills install, hooks install, plugins install, or signal install commands, write files to arbitrary locations enabling persistence or code execution.
nvd CVSS3.1
6.1
nvd CVSS4.0
6.8
Vulnerability type
CWE-22
Path Traversal
- https://nvd.nist.gov/vuln/detail/CVE-2026-28486
- https://github.com/advisories/GHSA-v892-hwpg-jwqp
- https://github.com/openclaw/openclaw/commit/3aa94afcfd12104c683c9cad81faf434d0da...
- https://github.com/openclaw/openclaw/security/advisories/GHSA-v892-hwpg-jwqp
- https://www.vulncheck.com/advisories/openclaw-path-traversal-zip-slip-in-archive...
Published: 5 Mar 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026