openclaw SSH sandbox tar upload lets attackers write arbitrary files
TL;DR - openclaw versions < 2026.3.31 follow symlinks when extracting tar archives during SSH sandbox uploads. A low-privileged remote attacker can craft a tar that writes files outside the sandbox boundary onto the host. Patch to 2026.3.31.
What happened
openclaw is an npm-distributed agent runtime that can sync sandbox state to a remote host over SSH. CVE-2026-41364 is a classic CWE-59 link-following bug in that sync path.
When the sandbox upload handler extracts a tar archive, it follows symlinks inside the archive without validating that the resolved path stays within the sandbox root. An attacker with enough access to trigger an upload can embed crafted symlinks and land files wherever the process has write permission on the remote host.
| Item | Detail |
|---|---|
| Affected component | npm package openclaw |
| Vulnerable versions | < 2026.3.31 |
| Patched version | 2026.3.31 |
| Weakness | CWE-59 (link following) |
| Severity | CVSS 3.1 8.1 (High) |
| Prerequisites | Network reachable, PR:L, no user interaction |
Arbitrary file write via archive extraction is a repeat offender in developer tooling and agent stacks. "Sync" features tend to run with broad filesystem permissions, which turns a path-traversal bug into a serious integrity problem fast.
Who is impacted
- Any deployment running the npm package
openclawat versions< 2026.3.31. - Environments where users with low privilege (
PR:L) can reach the functionality that triggers SSH sandbox tar uploads - this is not fully unauthenticated, but the bar is low. - Highest risk where the sandbox service runs with permissions that cover executable paths, service configs, cron jobs, or SSH
authorized_keys.
What to do now
- Upgrade
openclawto2026.3.31- the first version the CVE record marks as unaffected. - Inventory every place
openclawis installed: developer workstations, CI runners, agent host VMs. Check lockfiles and built artefacts, not just package manifests. - If you cannot immediately confirm who could have triggered uploads, treat this as a potential integrity incident:
- review logs for sandbox sync and tar extraction events
- inspect the remote host for unexpected file modifications in sensitive locations: service units, cron, startup scripts, SSH config, and key material
Related
Training
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.