CVE-2026-28453

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.14

Description OpenClaw versions before 2026.2.14 do not properly validate TAR archive entry paths during extraction. A crafted archive can use path traversal sequences, such as ../../..., to write files outside the intended destination directory, a condition known as Zip Slip. The affected code path is the extractArchive() function in src/infra/archive.ts, which used tar.x({ cwd: destDir }) without rejecting traversal and absolute entry paths. This issue affects installation flows, including openclaw plugins install and openclaw hooks install. An attacker who successfully exploits this issue can write files outside the extraction directory with the permissions of the OpenClaw process, potentially leading to configuration tampering and code execution.

Recommendations Upgrade to OpenClaw version 2026.2.14 or later. Avoid installing untrusted plugin or hook archives.