CVE-2026-27670
Race Condition in OpenClaw ZIP Extraction Allows Arbitrary File Write
Publication date: 2026-03-19
Last updated on: 2026-03-19
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.3.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-367 | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27670 is a race condition vulnerability in OpenClaw versions prior to 2026.3.2 that occurs during ZIP file extraction. The issue arises because the extraction process first validates file paths and then separately opens or writes to the files. Between these steps, an attacker can exploit a time-of-check to time-of-use (TOCTOU) race by rebinding parent directory symbolic links (symlinks). This allows the attacker to redirect file writes outside the intended extraction directory, potentially overwriting unauthorized files.
Technically, the vulnerability involves improper link resolution before file access (CWE-59) and TOCTOU race conditions (CWE-367). The flaw exists because path validation and file writing are not atomic, enabling attackers to manipulate symlinks during extraction to escape the designated directory.
How can this vulnerability impact me? :
This vulnerability allows a local attacker to write files outside the intended extraction directory during ZIP file extraction. This can lead to unauthorized file overwrites or creation of files in sensitive locations on the system.
- Potential unauthorized modification or replacement of critical files.
- Possible disruption of system or application behavior due to unexpected file changes.
- Increased risk of privilege escalation or further exploitation if critical files are overwritten.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves a race condition during ZIP extraction where an attacker can rebind parent directory symlinks to write files outside the intended extraction directory. Detection involves monitoring for suspicious ZIP extraction activities that attempt to write files outside expected directories or unusual symlink rebinding during extraction.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is local and related to file system operations, detection can include checking for unexpected file writes outside extraction directories and monitoring symlink changes during extraction.'}, {'type': 'paragraph', 'content': 'Suggested commands to help detect potential exploitation attempts include:'}, {'type': 'list_item', 'content': 'Use filesystem monitoring tools like inotifywait (Linux) to watch for symlink changes and file writes outside expected directories during ZIP extraction.'}, {'type': 'list_item', 'content': 'Example command to monitor symlink changes in the extraction directory:'}, {'type': 'list_item', 'content': "inotifywait -m -e attrib,create,modify,delete --format '%w%f %e' /path/to/extraction/directory"}, {'type': 'list_item', 'content': 'Check for unexpected files outside extraction roots by comparing extracted files against expected paths.'}, {'type': 'list_item', 'content': 'Use find to locate recently modified files outside extraction directories:'}, {'type': 'list_item', 'content': 'find / -type f -mmin -10 -exec ls -l {} \\;'}, {'type': 'paragraph', 'content': 'Additionally, reviewing logs or audit trails for ZIP extraction operations and any errors related to symlink traversal or file write failures may help detect exploitation attempts.'}] [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade OpenClaw to version 2026.3.2 or later, where the vulnerability has been fixed by eliminating the race condition during ZIP extraction.
The fix includes binding write operations directly to the opened file handle, verifying real paths with fs.realpath, and preventing symlink traversal by using no-follow flags when opening files.
If immediate upgrade is not possible, consider the following temporary mitigations:
- Restrict local user permissions to prevent untrusted users from performing ZIP extraction operations.
- Avoid extracting ZIP files from untrusted sources or run extraction in isolated environments with strict filesystem controls.
- Monitor extraction directories for suspicious symlink changes or unexpected file writes as a detection measure.
Ultimately, applying the official patch or upgrading to the fixed version is the recommended and most effective mitigation.