CVE-2026-32044 Overview
OpenClaw versions prior to 2026.3.2 contain an archive extraction vulnerability (CWE-409: Improper Handling of Highly Compressed Data) in the tar.bz2 installer path that bypasses safety checks enforced on other archive formats. Attackers can craft malicious tar.bz2 skill archives to bypass special-entry blocking and extracted-size guardrails, causing local denial of service during skill installation.
Critical Impact
This vulnerability allows attackers to bypass archive safety mechanisms, potentially causing denial of service through resource exhaustion when users install malicious skill packages.
Affected Products
- OpenClaw versions prior to 2026.3.2
- OpenClaw for Node.js (all platforms)
- OpenClaw skill installation component
Discovery Timeline
- 2026-03-21 - CVE CVE-2026-32044 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-32044
Vulnerability Analysis
This vulnerability exists in OpenClaw's archive extraction functionality within the src/infra/archive.ts file. The core issue stems from inconsistent security controls applied across different archive formats. While the application enforces safety checks (such as maximum archive size limits and entry count limits) on standard archive formats like .zip, the tar.bz2 format was not subject to the same guardrails.
The attack requires local access and user interaction - a victim must be tricked into installing a malicious skill archive. Once triggered, the vulnerability can cause a denial of service condition by exhausting system resources during the extraction process.
Root Cause
The root cause is improper handling of highly compressed data (CWE-409) where the tar.bz2 extraction path lacked parity with other archive format handlers. The maxArchiveBytes limit and entry count restrictions were primarily implemented for zip extraction but were not consistently applied to tar archives. This oversight allowed malicious tar.bz2 archives to bypass the safety constraints that protected other archive types.
Attack Vector
The attack requires local access where an attacker must convince a user to install a specially crafted tar.bz2 skill archive. The malicious archive can contain:
- Highly compressed data that expands to exhaust disk space or memory
- An excessive number of entries that overwhelm the extraction process
- Special entries that bypass blocking mechanisms
When the victim attempts to install the malicious skill package, the extraction process consumes excessive resources, leading to a denial of service condition on the local system.
export type ArchiveExtractLimits = {
/**
- * Max archive file bytes (compressed). Primarily protects zip extraction
- * because we currently read the whole archive into memory for parsing.
+ * Max archive file bytes (compressed).
*/
maxArchiveBytes?: number;
/** Max number of extracted entries (files + dirs). */
Source: GitHub Commit Reference
The patch removes the comment indicating that maxArchiveBytes was "primarily" for zip extraction, reflecting that these limits are now consistently applied across all archive formats including tar.bz2.
Detection Methods for CVE-2026-32044
Indicators of Compromise
- Unexpected tar.bz2 skill archives appearing in OpenClaw skill directories
- System resource exhaustion (disk space, memory) during skill installation operations
- Failed or hung skill installation processes with large temporary file artifacts
- Abnormal extraction ratios where compressed archives expand to disproportionately large sizes
Detection Strategies
- Monitor OpenClaw skill installation directories for suspicious tar.bz2 files from untrusted sources
- Implement file system monitoring for rapid disk consumption during archive extraction
- Log and alert on skill installation failures with resource exhaustion indicators
- Review application logs for archive extraction errors or timeouts
Monitoring Recommendations
- Enable verbose logging for OpenClaw skill installation operations
- Configure system alerts for sudden disk space consumption or memory spikes
- Implement integrity monitoring on skill archive directories
- Track the source of skill packages being installed to identify untrusted origins
How to Mitigate CVE-2026-32044
Immediate Actions Required
- Upgrade OpenClaw to version 2026.3.2 or later immediately
- Audit any recently installed skills from untrusted sources
- Only install skill packages from verified and trusted repositories
- Temporarily disable skill installation functionality if upgrade is not immediately possible
Patch Information
The vulnerability has been addressed in OpenClaw version 2026.3.2. The fix hardens tar archive extraction to have parity with other archive formats, ensuring that maxArchiveBytes and entry count limits are consistently enforced across all supported archive types.
For detailed patch information, see the GitHub Security Advisory GHSA-77hf-7fqf-f227 and the security commit 0dbb92dd2bcf9a32379d11c0f11ed016669dae3e.
Workarounds
- Restrict skill installation to .zip format archives only until patched
- Implement external archive validation before allowing skill installation
- Configure system-level resource limits (disk quotas, memory limits) for the OpenClaw process
- Block or quarantine incoming tar.bz2 files at the network or endpoint level
# Configuration example - Restrict skill archive formats (if supported by your version)
# Add to OpenClaw configuration file
OPENCLAW_ALLOWED_ARCHIVE_FORMATS=zip
OPENCLAW_MAX_ARCHIVE_SIZE=52428800
OPENCLAW_MAX_EXTRACTED_ENTRIES=1000
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
