CVE-2026-28486 Overview
OpenClaw versions 2026.1.16-2 prior to 2026.2.14 contain a path traversal vulnerability (CWE-22) in archive extraction during installation commands that allows arbitrary file writes outside the intended directory. Attackers can craft malicious archives that, when extracted via skills install, hooks install, plugins install, or signal install commands, write files to arbitrary locations enabling persistence or code execution.
This vulnerability, commonly known as a "Zip Slip" attack, exploits improper validation of file paths within archive entries. When a user installs a malicious package, crafted filenames containing directory traversal sequences (e.g., ../../../etc/cron.d/malicious) can escape the intended extraction directory and overwrite critical system files.
Critical Impact
Attackers can achieve arbitrary file writes leading to code execution or system persistence by distributing malicious OpenClaw packages that exploit the path traversal flaw during archive extraction.
Affected Products
- OpenClaw versions 2026.1.16-2 to 2026.2.13
- Systems using skills install, hooks install, plugins install, or signal install commands
- Any deployment extracting untrusted archives through affected OpenClaw installation workflows
Discovery Timeline
- 2026-03-05 - CVE-2026-28486 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-28486
Vulnerability Analysis
This path traversal vulnerability stems from insufficient validation of file paths during archive extraction operations. When OpenClaw processes installation commands for skills, hooks, plugins, or signals, it extracts archive contents without properly sanitizing the destination paths. The flaw allows directory traversal sequences embedded in archive entries to escape the intended extraction root directory.
The attack requires local access and user interaction—specifically, a user must execute an installation command against a malicious archive. Upon successful exploitation, an attacker can write arbitrary files to any location accessible by the OpenClaw process, potentially overwriting configuration files, planting backdoors, or achieving code execution through cron jobs or shell profile modifications.
Root Cause
The root cause is the absence of path normalization and boundary validation in the archive extraction logic. Prior to the patch, OpenClaw did not verify that resolved file paths remained within the designated extraction directory. This allowed relative path components like .. to traverse above the intended root, enabling writes to arbitrary filesystem locations.
Attack Vector
Exploitation requires local access with user interaction. An attacker creates a malicious archive containing entries with crafted filenames that include path traversal sequences. When a victim executes an OpenClaw installation command (such as openclaw skills install malicious-package.tar.gz), the archive extractor processes each entry and writes files to paths derived from the malicious filenames without validation.
The attack chain typically involves:
- Attacker creates a malicious archive with traversal paths (e.g., ../../.bashrc)
- Victim downloads and attempts to install the package
- OpenClaw extracts the archive without path validation
- Malicious files are written outside the intended directory
- Attacker achieves persistence or code execution
The security patch introduces a resolvePathWithinRoot function that validates all resolved paths remain within the designated root directory:
import path from "node:path";
import { resolvePreferredOpenClawTmpDir } from "../infra/tmp-openclaw-dir.js";
export const DEFAULT_BROWSER_TMP_DIR = resolvePreferredOpenClawTmpDir();
export const DEFAULT_TRACE_DIR = DEFAULT_BROWSER_TMP_DIR;
export const DEFAULT_DOWNLOAD_DIR = path.join(DEFAULT_BROWSER_TMP_DIR, "downloads");
export const DEFAULT_UPLOAD_DIR = path.join(DEFAULT_BROWSER_TMP_DIR, "uploads");
export function resolvePathWithinRoot(params: {
rootDir: string;
requestedPath: string;
scopeLabel: string;
defaultFileName?: string;
}): { ok: true; path: string } | { ok: false; error: string } {
const root = path.resolve(params.rootDir);
const raw = params.requestedPath.trim();
if (!raw) {
if (!params.defaultFileName) {
return { ok: false, error: "path is required" };
}
return { ok: true, path: path.join(root, params.defaultFileName) };
}
const resolved = path.resolve(root, raw);
const rel = path.relative(root, resolved);
if (!rel || rel.startsWith("..") || path.isAbsolute(rel)) {
return { ok: false, error: `Invalid path: must stay within ${params.scopeLabel}` };
}
return { ok: true, path: resolved };
}
Source: GitHub Commit Details
Detection Methods for CVE-2026-28486
Indicators of Compromise
- Unexpected files appearing in system directories such as /etc/cron.d/, /etc/profile.d/, or user home directories after OpenClaw package installations
- Archive extraction logs showing paths containing ../ sequences or absolute paths
- Modified system configuration files with timestamps coinciding with OpenClaw installation activity
- Presence of unknown scheduled tasks or shell profile modifications
Detection Strategies
- Monitor filesystem writes during OpenClaw installation operations for paths outside expected extraction directories
- Implement file integrity monitoring (FIM) on critical system directories to detect unauthorized modifications
- Review OpenClaw installation logs for archive entries containing directory traversal patterns
- Deploy endpoint detection rules to alert on archive extraction operations writing to sensitive system paths
Monitoring Recommendations
- Enable verbose logging for all OpenClaw installation commands to capture extracted file paths
- Configure SIEM rules to correlate OpenClaw process activity with writes to system configuration directories
- Implement allowlisting for permitted extraction target directories
- Monitor for creation of new executable files or scripts following OpenClaw package installations
How to Mitigate CVE-2026-28486
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.14 or later immediately
- Audit all recently installed OpenClaw packages for potentially malicious content
- Review filesystem changes on affected systems for signs of unauthorized file writes
- Restrict OpenClaw installation commands to trusted package sources only
Patch Information
The vulnerability has been addressed in OpenClaw version 2026.2.14. The fix introduces the resolvePathWithinRoot function in src/browser/paths.ts and integrates it into the archive extraction workflow via src/agents/tools/browser-tool.ts. The patch ensures all extracted file paths are validated to remain within the designated extraction root directory.
For detailed patch information, see:
Workarounds
- Validate all archive contents manually before executing installation commands using tools like tar -tvf or unzip -l
- Implement filesystem sandboxing or containerization for OpenClaw installation operations
- Restrict write permissions for the user account running OpenClaw to limit potential impact
- Only install packages from verified and trusted sources until the upgrade is applied
# Validate archive contents before installation
# Check for path traversal attempts in archive entries
tar -tvf package.tar.gz | grep -E '\.\./' && echo "WARNING: Potential path traversal detected"
# Run OpenClaw installations in a restricted environment
# Example using a temporary chroot or container
docker run --rm -v $(pwd)/packages:/packages openclaw:latest skills install /packages/trusted-skill.tar.gz
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
