Nixpkgs Security Tracker

Dismissed

Permalink CVE-2026-28447

updated 6 days, 12 hours ago by @mweinelt Activity log

Created automatic suggestion 1 week, 1 day ago
@mweinelt dismissed 6 days, 12 hours ago

OpenClaw 2026.1.29-beta.1 < 2026.2.1 - Path Traversal in Plugin Installation via Package Name

OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1 contain a path traversal vulnerability in plugin installation that allows malicious plugin package names to escape the extensions directory. Attackers can craft scoped package names containing path traversal sequences like .. to write files outside the intended installation directory when victims run the plugins install command.

References

GitHub Security Advisory (GHSA-qrq5-wjgg-rvqw) vendor-advisory
Patch Commit patch
VulnCheck Advisory: OpenClaw 2026.1.29-beta.1 < 2026.2.1 - Path Traversal in Plugin Installation via Package Name third-party-advisory

Affected products

OpenClaw

<2026.2.1

Matching in nixpkgs

pkgs.openclaw

Self-hosted, open-source AI assistant/agent

nixos-unstable -
- nixpkgs-unstable 2026.2.26
- nixos-unstable-small 2026.2.26

Package maintainers

@chrisportela Chris Portela <chris@chrisportela.com>

Unaffected, never had 2026.2.1 or older.

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.openclaw

Package maintainers