OpenClaw Path Traversal Vulnerability in Plugin Installation
Vulnerability
A path traversal vulnerability has been identified in OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1. This vulnerability allows malicious plugin package names to escape the designated extensions directory during the plugin installation process. Attackers can craft scoped package names that include path traversal sequences, such as '..', to manipulate the installation path and write files outside the intended directory. Exploitation occurs when the victim executes the 'openclaw plugins install' command with the compromised plugin content.
Impact
Exploitation of this vulnerability could lead to unauthorized file writing outside the intended directories, potentially overwriting critical files or disrupting application functionality.
Reproduction
To reproduce this vulnerability, create a plugin package with a name that includes path traversal sequences, such as '..'. Include this package in a tarball and attempt to install it using the 'openclaw plugins install' command. The crafted package name will cause files to be written outside the intended extensions directory, demonstrating the path traversal vulnerability.
Remediation
Users are advised to upgrade to OpenClaw version 2026.2.1 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.