CVE-2026-32044
MEDIUM
6,7
Source: [email protected]
Attack Vector: local
Attack Complexity: low
Privileges Required: none
User Interaction: active
Confidentiality: N/A
Integrity: N/A
Availability: N/A
MEDIUM
5,5
Source: [email protected]
Attack Vector: local
Attack Complexity: low
Privileges Required: none
User Interaction: required
Scope: unchanged
Confidentiality: none
Integrity: none
Availability: high
Description
AI Translation Available
OpenClaw versions prior to 2026.3.2 contain an archive extraction vulnerability in the tar.bz2 installer path that bypasses safety checks enforced on other archive formats. Attackers can craft malicious tar.bz2 skill archives to bypass special-entry blocking and extracted-size guardrails, causing local denial of service during skill installation.
409
Improper Handling of Highly Compressed Data (Data Amplification)
IncompleteCommon Consequences
Security Scopes Affected:
Availability
Potential Impacts:
Dos: Amplification
Dos: Crash, Exit, Or Restart
Dos: Resource Consumption (Cpu)
Dos: Resource Consumption (Memory)
Applicable Platforms
All platforms may be affected
https://github.com/openclaw/openclaw/commit/0dbb92dd2bcf9a32379d11c0f11ed016669…
https://github.com/openclaw/openclaw/security/advisories/GHSA-77hf-7fqf-f227
https://www.vulncheck.com/advisories/openclaw-tar-archive-safety-bypass-in-skil…