CVE-2026-28486

MEDIUM

OpenClaw 2026.1.16-2 - Path Traversal

Title source: llm

Description

OpenClaw versions 2026.1.16-2 prior to 2026.2.14 contain a path traversal vulnerability in archive extraction during installation commands that allows arbitrary file writes outside the intended directory. Attackers can craft malicious archives that, when extracted via skills install, hooks install, plugins install, or signal install commands, write files to arbitrary locations enabling persistence or code execution.

References (3)

[Vendor Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-v892-hwpg-jwqp

[Patch] https://github.com/openclaw/openclaw/commit/3aa94afcfd12104c683c9cad81faf434d0dadf87

View Patch ZIP pw:eip

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-path-traversal-zip-slip-in-archive-extraction-via-installation-commands

Scores

CVSS v3 6.1

EPSS 0.0004

EPSS Percentile 12.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (3)

npm/openclaw 2026.1.16-2 - 2026.2.14npm

openclaw/openclaw 2026.1.16-2

openclaw/openclaw 2026.1.20 - 2026.2.14

Published Mar 05, 2026

Tracked Since Mar 06, 2026