Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
OpenClaw Installer Can Write Files Outside Intended Tools Directory
GHSA-vhwf-4x96-vqx2
Summary
A security issue in OpenClaw's installation tool allows an attacker to trick it into writing files in the wrong directory. This could potentially lead to malicious code being installed on a system. To fix this, update to the latest version of OpenClaw, which is 2026.3.8, to prevent this issue.
What to do
- Update openclaw to version 2026.3.8.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.3.7 | 2026.3.8 |
Original title
OpenClaw's skills-install-download can be redirected outside the tools root by rebinding the validated base path
Original description
OpenClaw's skills download installer validated the intended per-skill tools root lexically, but later reused that mutable path while downloading and copying the archive into place. If a local attacker could rebind that tools-root path between validation and the final write, the installer could be redirected to write outside the intended tools directory.
The fix pins the canonical per-skill tools root immediately after validation and derives later download/copy paths from that canonical root, so rebinding the lexical path fails closed instead of redirecting the write.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published vulnerable version: `2026.3.7`
- Affected range: `<= 2026.3.7`
- Fixed in released version: `2026.3.8`
## Fix Commit(s)
- `9abf014f3502009faf9c73df5ca2cff719e54639`
## Release Verification
- Verified fixed in GitHub release `v2026.3.8` published on March 9, 2026.
- Verified `npm view openclaw version` resolves to `2026.3.8`.
- Verified the release contains the regression test covering tools-root rebinding and that the test passes against the `v2026.3.8` tree.
Thanks @tdjackey for reporting.
The fix pins the canonical per-skill tools root immediately after validation and derives later download/copy paths from that canonical root, so rebinding the lexical path fails closed instead of redirecting the write.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published vulnerable version: `2026.3.7`
- Affected range: `<= 2026.3.7`
- Fixed in released version: `2026.3.8`
## Fix Commit(s)
- `9abf014f3502009faf9c73df5ca2cff719e54639`
## Release Verification
- Verified fixed in GitHub release `v2026.3.8` published on March 9, 2026.
- Verified `npm view openclaw version` resolves to `2026.3.8`.
- Verified the release contains the regression test covering tools-root rebinding and that the test passes against the `v2026.3.8` tree.
Thanks @tdjackey for reporting.
ghsa CVSS4.0
6.9
Vulnerability type
CWE-367
Published: 12 Mar 2026 · Updated: 13 Mar 2026 · First seen: 12 Mar 2026