DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-V892-HWPG-JWQP: GHSA-V892-HWPG-JWQP: Zip Slip Path Traversal in OpenClaw Archive Extraction

#security #cve #cybersecurity #ghsa

GHSA-V892-HWPG-JWQP: Zip Slip Path Traversal in OpenClaw Archive Extraction

Vulnerability ID: GHSA-V892-HWPG-JWQP
CVSS Score: 8.8
Published: 2026-03-02

A critical Zip Slip vulnerability exists in OpenClaw versions prior to 2026.2.14. The application's archive extraction mechanism failed to properly validate entry paths within ZIP and TAR archives, allowing malicious actors to write arbitrary files to the filesystem outside the intended destination directory. This flaw affects the skill installation process and internal asset management, potentially leading to Remote Code Execution (RCE) via configuration or executable overwrite.

TL;DR

OpenClaw prior to v2026.2.14 contains a Zip Slip vulnerability in its skill installation logic. Attackers can craft malicious archives with directory traversal sequences (e.g., ../../) to overwrite critical system files when the archive is extracted. This can result in arbitrary code execution or system compromise.

Technical Details

  • CWE ID: CWE-22
  • Attack Vector: Network / Local (User Interaction)
  • Impact: Arbitrary File Write / RCE
  • Severity: High
  • Exploit Status: PoC Available
  • Platform: Node.js

Affected Systems

  • OpenClaw (NPM Package)
  • openclaw: < 2026.2.14 (Fixed in: 2026.2.14)

Code Analysis

Commit: 3aa94af

Fix Zip Slip vulnerability and harden archive extraction logic

Mitigation Strategies

  • Update OpenClaw to version 2026.2.14 or later immediately.
  • Run OpenClaw with the least privilege necessary (avoid root).
  • Use containerization (Docker) with read-only root filesystems where possible.

Remediation Steps:

  1. Stop the OpenClaw service.
  2. Run npm update openclaw or yarn upgrade openclaw to pull the latest version.
  3. Verify the installed version is >= 2026.2.14 using npm list openclaw.
  4. Audit the filesystem for unexpected files, particularly in sensitive directories like .ssh or system binary folders, if a compromise is suspected.

References

Read the full report for GHSA-V892-HWPG-JWQP on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)