CVE-2026-27008 Overview
CVE-2026-27008 is a Path Traversal vulnerability affecting OpenClaw, a personal AI assistant application. Prior to version 2026.2.15, a bug in the download skill installation functionality allowed targetDir values from skill frontmatter to resolve outside the per-skill tools directory if not strictly validated. In the admin-only skills.install flow, this could enable an attacker to write files outside the intended install sandbox.
Critical Impact
Authenticated administrators exploiting this vulnerability could write arbitrary files outside the designated skill tools directory, potentially compromising system integrity or achieving persistence on the affected host.
Affected Products
- OpenClaw versions prior to 2026.2.15
- OpenClaw Node.js package installations
Discovery Timeline
- 2026-02-20 - CVE-2026-27008 published to NVD
- 2026-02-20 - Last updated in NVD database
Technical Details for CVE-2026-27008
Vulnerability Analysis
This vulnerability falls under CWE-73 (External Control of File Name or Path), a weakness where the application allows user-controlled input to influence file system paths without proper validation. In OpenClaw's case, the targetDir parameter extracted from skill frontmatter metadata was not adequately sanitized before being used to construct file paths during the skill installation process.
The vulnerability requires local access and high privileges (admin-only flow), which limits the attack surface. However, a malicious administrator or an attacker who has compromised admin credentials could leverage this flaw to write files to arbitrary locations on the file system, potentially overwriting critical configuration files, injecting malicious code into application directories, or establishing persistence mechanisms.
Root Cause
The root cause of this vulnerability lies in insufficient path validation within the skill download and installation process. The targetDir value from skill frontmatter was used to construct file paths without verifying that the resolved path remained within the designated tools directory sandbox. This allowed path traversal sequences or absolute paths in the frontmatter to escape the intended installation boundary.
Attack Vector
The attack requires local access with administrative privileges. An attacker would need to:
- Have admin access to the OpenClaw installation
- Create or modify a skill package with a malicious targetDir value in its frontmatter
- Install the malicious skill using the skills.install flow
- The application would then write files to the attacker-specified location outside the tools sandbox
The fix introduced in version 2026.2.15 implements proper path resolution and validation:
+import path from "node:path";
+import type { SkillEntry } from "./types.js";
+import { safePathSegmentHashed } from "../../infra/install-safe-path.js";
+import { resolveConfigDir } from "../../utils.js";
+import { resolveSkillKey } from "./frontmatter.js";
+
+export function resolveSkillToolsRootDir(entry: SkillEntry): string {
+ const key = resolveSkillKey(entry.skill, entry);
+ const safeKey = safePathSegmentHashed(key);
+ return path.join(resolveConfigDir(), "tools", safeKey);
+}
Source: GitHub Commit
The patch also adds safe base directory resolution to the archive extraction process:
import { Readable, Transform } from "node:stream";
import { pipeline } from "node:stream/promises";
import * as tar from "tar";
+import { resolveSafeBaseDir } from "./path-safety.js";
export type ArchiveKind = "tar" | "zip";
Source: GitHub Commit
Detection Methods for CVE-2026-27008
Indicators of Compromise
- Unexpected files appearing outside the OpenClaw tools directory following skill installation
- File system events showing write operations to sensitive directories during skills.install operations
- Skill packages containing unusual targetDir values with path traversal patterns (e.g., ../, absolute paths)
Detection Strategies
- Monitor file system activity during skill installation for writes outside the tools directory
- Implement file integrity monitoring on critical system directories
- Audit skill package frontmatter for suspicious targetDir configurations before installation
- Review admin activity logs for unusual skill installation patterns
Monitoring Recommendations
- Enable verbose logging for the skills.install flow to capture target directory resolutions
- Set up alerts for file creation events in sensitive directories correlating with OpenClaw process activity
- Periodically audit installed skills and their associated file system footprints
How to Mitigate CVE-2026-27008
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.15 or later immediately
- Audit existing installed skills for any signs of exploitation
- Review file system for unauthorized files that may have been written outside the tools directory
- Restrict admin access to trusted personnel only
Patch Information
OpenClaw has released version 2026.2.15 which contains a fix for this vulnerability. The patch implements proper path sanitization using safePathSegmentHashed() and resolveSafeBaseDir() functions to ensure skill installation paths cannot escape the designated sandbox.
For detailed patch information, refer to:
Workarounds
- Restrict admin access to the OpenClaw installation until the patch can be applied
- Implement file system permissions to prevent writes outside designated directories
- Use container isolation or sandboxing to limit the impact of potential file write escapes
# Configuration example - Restrict tools directory permissions
chmod 755 /path/to/openclaw/config/tools
chown -R openclaw:openclaw /path/to/openclaw/config/tools
# Enable audit logging for the tools directory
auditctl -w /path/to/openclaw/config/tools -p wa -k openclaw_tools
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
