CVE-2026-27670 in OpenClaw
Summary
by MITRE • 03/19/2026
OpenClaw versions prior to 2026.3.2 contain a race condition vulnerability in ZIP extraction that allows local attackers to write files outside the intended destination directory. Attackers can exploit a time-of-check-time-of-use race between path validation and file write operations by rebinding parent directory symlinks to redirect writes outside the extraction root.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/23/2026
The vulnerability identified as CVE-2026-27670 affects OpenClaw software versions before 2026.3.2 and represents a critical race condition flaw within the ZIP extraction functionality. This vulnerability stems from improper handling of file paths during archive extraction processes, creating a window of opportunity for malicious exploitation. The core issue manifests when the system performs path validation checks before executing file write operations, allowing attackers to manipulate the filesystem state between these two critical phases. This fundamental design flaw enables unauthorized file creation in directories outside the intended extraction scope, fundamentally compromising the security boundaries of the application.
The technical implementation of this vulnerability operates through a classic time-of-check-time-of-use race condition pattern, which is categorized under CWE-367. Attackers exploit the temporal gap between when the system validates file paths and when it actually writes files to disk by manipulating symbolic links within the parent directory structure. Specifically, the vulnerability occurs when the application checks if extracted files would be written within allowed directories but fails to maintain consistent path validation throughout the entire extraction process. This allows malicious actors to rebind parent directory symbolic links during the brief window between validation and actual file operations, redirecting file writes to arbitrary locations on the filesystem.
The operational impact of this vulnerability extends beyond simple privilege escalation to encompass full system compromise potential. Local attackers can leverage this weakness to write malicious files to critical system directories such as /bin, /etc, or application installation folders, potentially enabling privilege escalation attacks or persistent backdoor installations. The vulnerability's exploitation requires only local access to the system, making it particularly dangerous in multi-user environments where attackers may have limited initial privileges but can use this flaw to gain higher-level system access. Additionally, the attack can be automated and executed without requiring special privileges beyond basic user access, making it a significant concern for system administrators.
Mitigation strategies for CVE-2026-27670 should prioritize immediate software updates to version 2026.3.2 or later, which contains patches addressing the race condition in ZIP extraction. Organizations should implement comprehensive path validation mechanisms that maintain consistent checks throughout the entire file operation lifecycle rather than relying on single validation points. System administrators should consider implementing additional security controls such as restricted write permissions for extraction directories and monitoring for unusual file creation patterns in system directories. The vulnerability aligns with ATT&CK technique T1059.007 for execution through archive extraction and T1548.001 for privilege escalation, making it particularly relevant for security teams implementing defensive measures against these attack vectors. Organizations should also conduct thorough security assessments of their file extraction processes and consider implementing sandboxed extraction environments to limit potential damage from similar vulnerabilities.