OpenClaw ZIP Extraction Race Condition Vulnerability Allowing Arbitrary File Write
Vulnerability
A race condition vulnerability has been identified in OpenClaw versions prior to 2026.3.2, allowing local attackers to write files outside the intended destination directory during ZIP extraction. This issue arises from a time-of-check-time-of-use race between path validation and file write operations, which attackers can exploit by rebinding parent directory symlinks to redirect writes outside the extraction root.
Impact
Exploitation of this vulnerability could lead to arbitrary file writes outside the intended directory, potentially overwriting existing files or creating new ones in sensitive locations.
Reproduction
The vulnerability can be reproduced by creating a ZIP file that includes a directory structure leading to a symlink. During the extraction process, the symlink can be manipulated to point to a location outside the intended extraction directory. This is done by first validating the path, then writing the file, creating a window of opportunity to redirect the write operation.
Remediation
Users can upgrade to OpenClaw version 2026.3.2 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.