CVE-2026-27008

UNKNOWN 0.0

OpenClaw hardened the skill download target directory validation

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a bug in `download` skill installation allowed `targetDir` values from skill frontmatter to resolve outside the per-skill tools directory if not strictly validated. In the admin-only `skills.install` flow, this could write files outside the intended install sandbox. Version 2026.2.15 contains a fix for the issue.

CWE	CWE-73
Vendor	openclaw
Product	openclaw
Published	Feb 19, 2026
Last Updated	Feb 20, 2026

Stay Ahead of the Next One

Get instant alerts for openclaw openclaw

Be the first to know when new unknown vulnerabilities affecting openclaw openclaw are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

openclaw / openclaw

< 2026.2.15

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/openclaw/openclaw/security/advisories/GHSA-h7f7-89mm-pqh6 github.com: https://github.com/openclaw/openclaw/commit/2363e1b0853a028e47f90dcc1066e3e9809d65f1 github.com: https://github.com/openclaw/openclaw/commit/b6305e97256d67e439719faacf5af3de9727d6e1 github.com: https://github.com/openclaw/openclaw/releases/tag/v2026.2.15