wid-sec-w-2026-0691 · Published 2026-03-10 · View on BSI CERT-Bund ↗

OpenClaw: Multiple Vulnerabilities

CVSS 5.8 MEDIUM

Risk Summary

OpenClaw before 2026.3.8 contains a path traversal vulnerability in the skills download installer that validates the tools root lexically but reuses the mutable path during archive download and copy operations. A local attacker can rebind the tools-root path between validation and final write to redirect the installer outside the intended tools directory. Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

CVEs (4)

CVE-2026-32921 CVE-2026-33574 CVE-2026-34506 CVE-2026-34509

Affected Vendors

Open Source

Affected Products (2)

Open Source · OpenClaw <2026.3.8

Open Source · OpenClaw 2026.3.8

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more