Path traversal in OpenClaw - CVE-2026-27008

 

Path traversal in OpenClaw - CVE-2026-27008

Published: May 4, 2026


Vulnerability identifier: #VU129427
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-27008
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a remote user to write files outside the intended install sandbox.

The vulnerability exists due to improper path restriction in the download skill installation target directory validation when processing targetDir values from skill frontmatter during the skills.install flow. A remote user can supply a specially crafted skill package to write files outside the intended install sandbox.

The issue is limited to the admin-only skills.install flow.


How to mitigate CVE-2026-27008

Install security update from vendor's website.

Sources