OpenClaw Path Traversal Vulnerability in TAR Archive Extraction

A path traversal vulnerability has been identified in OpenClaw versions prior to 2026.2.14. The issue arises because the software fails to properly validate entry paths in TAR archives during extraction. This oversight allows attackers to craft malicious archives that exploit path traversal sequences, such as '../../', to write files outside the designated extraction directory. Such exploitation could lead to unauthorized configuration changes and potentially allow for code execution.

Impact

Exploitation of this vulnerability can result in path traversal, commonly known as a 'Zip Slip' vulnerability, allowing files to be written outside the intended directory. This could lead to unauthorized modification of configuration files and, in some cases, execution of malicious code.

Reproduction

To reproduce this vulnerability, upload a crafted TAR archive that includes path traversal sequences, such as '../../', through the OpenClaw browser tool. This can be done by using the 'upload' command with the path to the malicious archive, ensuring it is placed within the OpenClaw temporary uploads directory. Once the archive is uploaded, the 'waitfordownload' command can be used to ensure the file is processed, triggering the extraction and the associated path traversal vulnerability.

Remediation

Users are advised to upgrade to OpenClaw version 2026.2.14 or later. It is also recommended to avoid installing untrusted plugin or hook archives.