CVE-2026-32044

MEDIUM 5.5

OpenClaw < 2026.3.2 - Tar Archive Safety Bypass in Skills Installation

CVSS Score

5.5

EPSS Score

0.0%

EPSS Percentile

2th

OpenClaw versions prior to 2026.3.2 contain an archive extraction vulnerability in the tar.bz2 installer path that bypasses safety checks enforced on other archive formats. Attackers can craft malicious tar.bz2 skill archives to bypass special-entry blocking and extracted-size guardrails, causing local denial of service during skill installation.

CWE	CWE-409
Vendor	openclaw
Product	openclaw
Published	Mar 21, 2026
Last Updated	Mar 23, 2026

Stay Ahead of the Next One

Get instant alerts for openclaw openclaw

Be the first to know when new medium vulnerabilities affecting openclaw openclaw are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Affected Versions

OpenClaw / OpenClaw

0 < 2026.3.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/openclaw/openclaw/security/advisories/GHSA-77hf-7fqf-f227 github.com: https://github.com/openclaw/openclaw/commit/0dbb92dd2bcf9a32379d11c0f11ed016669dae3e vulncheck.com: https://www.vulncheck.com/advisories/openclaw-tar-archive-safety-bypass-in-skills-installation

Credits

🔍 Baozongwi'xd (@GCXWLP)