CVE-2026-28483

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.2 OpenClaw versions 2026.3.1 and earlier

Description A race condition exists in ZIP extraction within OpenClaw that could allow local attackers to write files outside the intended destination directory. This is possible due to a parent-directory symlink rebind occurring between path validation and file write operations. The issue stems from a gap between validation and truncate operations in the src/infra/archive.ts file, allowing manipulation of parent directory symlinks to redirect writes outside the extraction root. The fix involves hardening ZIP writes by binding writes to the opened file handle identity and avoiding the pre-write truncate race path, with shared fd realpath verification in src/infra/fs-safe.ts and regression coverage in src/infra/archive.test.ts.

Recommendations Update OpenClaw to version 2026.3.2 or later.