CVE-2026-28486
📋 TL;DR
OpenClaw versions 2026.1.16-2 through 2026.2.13 contain a path traversal vulnerability in archive extraction during installation commands. Attackers can craft malicious archives that write files outside intended directories when extracted via install commands, potentially enabling persistence or code execution. Users running vulnerable OpenClaw versions are affected.
💻 Affected Systems
- OpenClaw
📦 What is this software?
Openclaw by Openclaw
Openclaw by Openclaw
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to full system compromise, data theft, or ransomware deployment
Likely Case
Arbitrary file writes enabling persistence mechanisms, configuration modification, or privilege escalation
If Mitigated
Limited to file writes in user-controlled directories with proper access controls
🎯 Exploit Status
Exploitation requires user to execute install commands on malicious archives
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2026.2.14 and later
Vendor Advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-v892-hwpg-jwqp
Restart Required: No
Instructions:
1. Update OpenClaw to version 2026.2.14 or later using package manager. 2. Verify installation with 'openclaw --version'. 3. No restart required as this is a library/application fix.
🔧 Temporary Workarounds
Disable archive installation
allTemporarily disable installation from archive files until patched
# Configure OpenClaw to reject archive installations
# Check documentation for specific configuration options
Use trusted sources only
allRestrict installation to verified, signed packages from official repositories
# Configure package sources to official repos only
# Remove untrusted package sources
🧯 If You Can't Patch
- Implement strict access controls on directories where OpenClaw runs
- Monitor for suspicious archive extraction patterns and file writes outside expected directories
🔍 How to Verify
Check if Vulnerable:
Check OpenClaw version with 'openclaw --version' and compare to affected range 2026.1.16-2 through 2026.2.13Check Version:
openclaw --versionVerify Fix Applied:
Verify version is 2026.2.14 or later with 'openclaw --version' and test archive extraction with known safe test files📡 Detection & Monitoring
Log Indicators:
- Archive extraction logs showing path traversal sequences
- File writes outside expected OpenClaw directories
- Installation commands processing archives with '..' or absolute paths
Network Indicators:
- Downloads of archives from untrusted sources followed by OpenClaw installation commands
SIEM Query:
process_name:"openclaw" AND (command_line:"install" AND command_line:"archive") AND file_write_path:(".." OR "/" OR absolute_path_patterns)