![[openclaw] OpenClaw vulnerable to path traversal (Zip Slip) in archive extraction during explicit installation commands](/assets/images/github_com_1772501089274.png)
Security Advisories์ถ์ฒ: GitHub Security Advisories์กฐํ์ 2
[openclaw] OpenClaw vulnerable to path traversal (Zip Slip) in archive extraction during explicit installation commands
By GitHub2026๋
3์ 3์ผ
**[openclaw] OpenClaw vulnerable to path traversal (Zip Slip) in archive extraction during explicit installation commands**
Summary A path traversal (Zip Slip) issue in archive extraction during explicit installation commands could allow a crafted archive to write files outside the intended extraction directory. Affected Packages / Versions Package: openclaw (npm) Affected versions: >=2026.1.16-2 <2026.2.14 Fixed version: 2026.2.14 Affected Commands / Flows This only affects users who run installation commands against an untrusted archive (local file or download URL), for example: openclaw skills install (download+extract installers) openclaw hooks install (archive installs) openclaw plugins install (archive installs) openclaw signal install (signal-cli asset extraction) It is not triggered by receiving messages or normal gateway operation. Impact Arbitrary file write as the current user. In the worst case this can be used for persistence or code execution if an attacker can convince a user to install a crafted archive. Fix Fix commit: 3aa94afcfd12104c683c9cad81faf434d0dadf87 Released in: 2026.2.14 Credits OpenClaw thanks @markmusson for reporting...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.
Summary A path traversal (Zip Slip) issue in archive extraction during explicit installation commands could allow a crafted archive to write files outside the intended extraction directory. Affected Packages / Versions Package: openclaw (npm) Affected versions: >=2026.1.16-2 <2026.2.14 Fixed version: 2026.2.14 Affected Commands / Flows This only affects users who run installation commands against an untrusted archive (local file or download URL), for example: openclaw skills install (download+extract installers) openclaw hooks install (archive installs) openclaw plugins install (archive installs) openclaw signal install (signal-cli asset extraction) It is not triggered by receiving messages or normal gateway operation. Impact Arbitrary file write as the current user. In the worst case this can be used for persistence or code execution if an attacker can convince a user to install a crafted archive. Fix Fix commit: 3aa94afcfd12104c683c9cad81faf434d0dadf87 Released in: 2026.2.14 Credits OpenClaw thanks @markmusson for reporting...
---
**[devsupporter ํด์ค]**
์ด ๊ธฐ์ฌ๋ GitHub Security Advisories์์ ์ ๊ณตํ๋ ์ต์ ๊ฐ๋ฐ ๋ํฅ์ ๋๋ค. ๊ด๋ จ ๋๊ตฌ๋ ๊ธฐ์ ์ ๋ํด ๋ ์์๋ณด์๋ ค๋ฉด ์๋ณธ ๋งํฌ๋ฅผ ์ฐธ๊ณ ํ์ธ์.