CVE-2026-32044

MEDIUM

OpenClaw < 2026.3.2 - Tar Archive Safety Bypass in Skills Installation

Title source: cna

Description

OpenClaw versions prior to 2026.3.2 contain an archive extraction vulnerability in the tar.bz2 installer path that bypasses safety checks enforced on other archive formats. Attackers can craft malicious tar.bz2 skill archives to bypass special-entry blocking and extracted-size guardrails, causing local denial of service during skill installation.

References (3)

[Third Party Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-77hf-7fqf-f227

[Patch] https://github.com/openclaw/openclaw/commit/0dbb92dd2bcf9a32379d11c0f11ed016669dae3e

View Patch ZIP pw:eip

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-tar-archive-safety-bypass-in-skills-installation

Scores

CVSS v3 5.5

EPSS 0.0002

EPSS Percentile 4.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Details

CWE

CWE-409

Status published

Products (3)

OpenClaw/OpenClaw < 2026.3.2

openclaw/openclaw < 2026.3.2

OpenClaw/OpenClaw 2026.3.2

Published Mar 21, 2026

Tracked Since Mar 21, 2026