PT-2026-28498 · Openclaw · Openclaw
Tdjackey
·
Published
2026-03-12
·
Updated
2026-03-29
·
CVE-2026-33574
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
OpenClaw versions prior to 2026.3.8
Description
The software contains a path traversal issue in the skills download installer. The installer validates the tools root path but reuses a mutable path during archive download and copy operations. This allows a local attacker to redirect the installer outside the intended tools directory by rebinding the tools-root path between validation and the final write operation.
Recommendations
Update to version 2026.3.8 or later.
Fix
Time Of Check To Time Of Use
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openclaw