EUVD-2026-14561
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L
Lifecycle Timeline
4Description
OpenClaw before 2026.3.2 contains a race condition vulnerability in ZIP extraction that allows local attackers to write files outside the intended destination directory via parent-directory symlink rebind between path validation and file write operations. Attackers can exploit the gap between validation and truncate operations in src/infra/archive.ts to redirect writes outside the extraction root by manipulating parent directory symlinks.
Analysis
OpenClaw before version 2026.3.2 contains a race condition vulnerability in its ZIP extraction functionality that allows local attackers with limited privileges to write arbitrary files outside the intended extraction directory. The vulnerability exploits a time-of-check-time-of-use (TOCTOU) gap in src/infra/archive.ts where an attacker can rebind parent directory symlinks between path validation and file write operations, enabling directory traversal and potential code execution. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today