Nixpkgs Security Tracker

Dismissed

Permalink CVE-2026-28453

updated 6 days, 13 hours ago by @mweinelt Activity log

Created automatic suggestion 1 week, 1 day ago
@mweinelt dismissed 6 days, 13 hours ago

OpenClaw < 2026.2.14 - Zip Slip Path Traversal in TAR Archive Extraction

OpenClaw versions prior to 2026.2.14 fail to validate TAR archive entry paths during extraction, allowing path traversal sequences to write files outside the intended directory. Attackers can craft malicious archives with traversal sequences like ../../ to write files outside extraction boundaries, potentially enabling configuration tampering and code execution.

References

GitHub Security Advisory (GHSA-p25h-9q54-ffvw) vendor-advisory
Patch Commit patch
VulnCheck Advisory: OpenClaw < 2026.2.14 - Zip Slip Path Traversal in TAR Archive Extraction third-party-advisory

Affected products

OpenClaw

<2026.2.14

Matching in nixpkgs

pkgs.openclaw

Self-hosted, open-source AI assistant/agent

nixos-unstable -
- nixpkgs-unstable 2026.2.26
- nixos-unstable-small 2026.2.26

Package maintainers

@chrisportela Chris Portela <chris@chrisportela.com>

Unaffected, never had 2026.2.14 or older.

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.openclaw

Package maintainers