DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-QRQ5-WJGG-RVQW: OpenClaw: The 'AI' That Let You Write Files Anywhere

#security #cve #cybersecurity #ghsa

OpenClaw: The 'AI' That Let You Write Files Anywhere

Vulnerability ID: GHSA-QRQ5-WJGG-RVQW
CVSS Score: 8.8
Published: 2026-02-17

In the race to build the ultimate AI assistant, the developers of OpenClaw (formerly Moltbot) forgot one of the oldest rules in the book: never trust user input, especially when that input tells you where to write files. GHSA-QRQ5-WJGG-RVQW is a critical Path Traversal vulnerability that turns a helpful plugin installation process into an arbitrary file write primitive. By simply crafting a malicious 'package.json', an attacker can escape the application's sandbox and overwrite system files, leading to Remote Code Execution (RCE). It's a classic case of convenience over security, proving that even modern AI frameworks can suffer from 1990s-era bugs.

TL;DR

Critical Path Traversal in OpenClaw's plugin installer allows attackers to write files to arbitrary locations via malicious package names. Fixed in v2026.2.1.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: Path Traversal
  • Attack Vector: Network (via Package Install)
  • CWE ID: CWE-22
  • CVSS Score: 8.8 (High)
  • Impact: Arbitrary File Write / RCE
  • Fix Version: v2026.2.1

Affected Systems

  • OpenClaw
  • Moltbot
  • Clawdbot
  • OpenClaw: < 2026.2.1 (Fixed in: 2026.2.1)

Code Analysis

Commit: d03eca8

fix(security): prevent path traversal in plugin and hook names

function resolveSafeInstallDir(...) { ... const relative = path.relative(resolvedBase, resolvedTarget); ... }
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Input Validation: Sanitize all file path inputs.
  • Path Canonicalization: Use path.resolve() to get absolute paths.
  • Directory Confinement: Use path.relative() to ensure targets are within the sandbox.
  • Least Privilege: Run the application with restricted user permissions.

Remediation Steps:

  1. Stop the OpenClaw service.
  2. Backup your current configuration and database.
  3. Upgrade OpenClaw to version 2026.2.1 or later.
  4. Inspect the 'extensions' and 'hooks' directories for unknown or suspicious subdirectories.
  5. Restart the service.

References

Read the full report for GHSA-QRQ5-WJGG-RVQW on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)