wid-sec-w-2026-0573 · Published 2026-03-02 · View on BSI CERT-Bund ↗

OpenClaw: Multiple Vulnerabilities

CVSS 8.7 HIGH

Risk Summary

OpenClaw versions prior to 2026.3.2 contain a race condition vulnerability in ZIP extraction that allows local attackers to write files outside the intended destination directory. Attackers can exploit a time-of-check-time-of-use race between path validation and file write operations by rebinding parent directory symlinks to redirect writes outside the extraction root.

CVEs (12)

CVE-2026-22180 CVE-2026-22181 CVE-2026-27670 CVE-2026-28483 CVE-2026-29608 CVE-2026-31990 CVE-2026-32004 CVE-2026-32011 CVE-2026-32035 CVE-2026-32044 CVE-2026-32901 CVE-2026-32903

Affected Vendors

Open Source

Affected Products (2)

Open Source · OpenClaw <2026.3.2

Open Source · OpenClaw 2026.3.2

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more