CVE-2026-28483

OpenClaw before 2026.3.2 contains a race condition vulnerability in ZIP extraction that allows local attackers to write files outside the intended destination directory via parent-directory symlink rebind between path validation and file write operations. Attackers can exploit the gap between validation and truncate operations in src/infra/archive.ts to redirect writes outside the extraction root by manipulating parent directory symlinks.