VYPR
Unrated severityNVD Advisory· Published Mar 19, 2026· Updated Mar 19, 2026

OpenClaw < 2026.3.2 - Arbitrary File Write via ZIP Extraction Parent Symlink Race Condition

CVE-2026-27670

Description

OpenClaw versions prior to 2026.3.2 contain a race condition vulnerability in ZIP extraction that allows local attackers to write files outside the intended destination directory. Attackers can exploit a time-of-check-time-of-use race between path validation and file write operations by rebinding parent directory symlinks to redirect writes outside the extraction root.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • OpenClaw/Openclawllm-fuzzy2 versions
    <2026.3.2+ 1 more
    • (no CPE)range: <2026.3.2
    • (no CPE)range: 0

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.