CVE-2026-27670

Description

OpenClaw versions prior to 2026.3.2 contain a race condition vulnerability in ZIP extraction that allows local attackers to write files outside the intended destination directory. Attackers can exploit a time-of-check-time-of-use race between path validation and file write operations by rebinding parent directory symlinks to redirect writes outside the extraction root.

PUBLISHED Reserved 2026-02-23 | Published 2026-03-19 | Updated 2026-03-19 | Assigner VulnCheck

Problem types

CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

Product status

Credits

tdjackey reporter

References

github.com/...enclaw/security/advisories/GHSA-r54r-wmmq-mh84 (GitHub Security Advisory (GHSA-r54r-wmmq-mh84)) third-party-advisory

github.com/...ommit/7dac9b05dd9d38dd3929637f26fa356fd8bdd107 (Patch Commit) patch

www.vulncheck.com/...xtraction-parent-symlink-race-condition (VulnCheck Advisory: OpenClaw < 2026.3.2 - Arbitrary File Write via ZIP Extraction Parent Symlink Race Condition) third-party-advisory

cve.org (CVE-2026-27670)

nvd.nist.gov (CVE-2026-27670)

Download JSON