CVE-2026-28486

MEDIUM

OpenClaw 2026.1.16-2 - Path Traversal

Title source: llm

Description

OpenClaw versions 2026.1.16-2 prior to 2026.2.14 contain a path traversal vulnerability in archive extraction during installation commands that allows arbitrary file writes outside the intended directory. Attackers can craft malicious archives that, when extracted via skills install, hooks install, plugins install, or signal install commands, write files to arbitrary locations enabling persistence or code execution.

References (3)

[Patch] https://github.com/openclaw/openclaw/commit/3aa94afcfd12104c683c9cad81faf434d0dadf87

View Patch ZIP pw:eip

[Vendor Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-v892-hwpg-jwqp

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-path-traversal-zip-slip-in-archive-extraction-via-installation-commands

Scores

CVSS v3 6.1

EPSS 0.0001

EPSS Percentile 1.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L

Classification

CWE

CWE-22

Status draft

Affected Products (1)

npm/openclaw < 2026.2.14npm

Timeline

Published Mar 05, 2026

Tracked Since Mar 06, 2026