CVE-2026-28486

Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.1.16-2 through 2026.2.13

Description A path traversal issue exists in archive extraction during installation commands. This allows a crafted archive to write files outside the intended extraction directory. The issue affects users who run installation commands against untrusted archives, such as those downloaded from a local file or URL. Specifically, the affected commands include openclaw skills install, openclaw hooks install, openclaw plugins install, and openclaw signal install. Successful exploitation can lead to arbitrary file write as the current user, potentially enabling persistence or code execution if an attacker can convince a user to install a malicious archive.

Recommendations Update to version 2026.2.14 or later.