CVE-2026-28453

Sažetak

OpenClaw versions prior to 2026.2.14 fail to validate TAR archive entry paths during extraction, allowing path traversal sequences to write files outside the intended directory. Attackers can craft malicious archives with traversal sequences like ../../ to write files outside extraction boundaries, potentially enabling configuration tampering and code execution.

Reference

https://github.com/openclaw/openclaw/commit/3aa94afcfd12104c683c9cad81faf434d0dadf87
https://github.com/openclaw/openclaw/security/advisories/GHSA-p25h-9q54-ffvw
https://www.vulncheck.com/advisories/openclaw-zip-slip-path-traversal-in-tar-archive-extraction

CVSS

Base:	7.5
Impact:	3.6
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	NONE	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Zadnje važnije ažuriranje

09-03-2026 - 18:04

Objavljeno

05-03-2026 - 22:16