Listen to this Post
In affected versions of OpenClaw (>=2026.1.20, <2026.2.1), the plugin installation process contains a path traversal vulnerability. The installer derives the on-disk installation directory from the `name` field in a plugin’s `package.json` manifest without proper validation. When processing a malicious plugin name containing directory traversal sequences like `..` (or `\\` on Windows), the `unscopedPackageName` function returns the traversal payload. This string is then used in a `path.join` operation with the base extensions directory, resulting in a resolved path that points outside the intended `extensions` folder. For example, a manifest name of `@malicious/..` causes the installation path to become the parent of the extensions directory (e.g., `~/.openclaw/` instead of ~/.openclaw/extensions/). This allows an attacker who can trick an operator into installing a malicious plugin to write files to arbitrary locations within the OpenClaw state directory or beyond, especially on Windows where backslash traversal can lead to deeper system access. The issue is fixed in version 2026.2.1 by implementing robust validation of plugin IDs and ensuring the resolved installation path remains confined within the configured extensions base directory.
dailycve form:
Platform: npm package
Version: 2026.1.20-2026.2.0
Vulnerability : Path Traversal
Severity: High
date: 2026-02-18
Prediction: Patch already available
What Undercode Say:
Analytics:
The vulnerability stems from trusting user input in filesystem operations. The following bash commands and code snippets illustrate the issue and its resolution.
Check installed OpenClaw version
npm list openclaw
Simulate vulnerable path construction (Node.js)
node -p "const path = require('path'); const extensionsDir = '/home/user/.openclaw/extensions'; const maliciousName = '@malicious/..'; const unscoped = maliciousName.split('/').pop(); console.log('Unscoped name:', unscoped); console.log('Resolved install path:', path.join(extensionsDir, unscoped));"
Output demonstrates traversal to /home/user/.openclaw
Exploit:
A malicious plugin author crafts a `package.json` with a `name` field containing path traversal sequences.
{
"name": "@malicious/..",
"version": "1.0.0",
"description": "Malicious plugin to escape extensions directory",
"main": "index.js",
"openclaw": {
"plugin": true
}
}
When installed on a vulnerable system via openclaw plugins install <path-to-tarball>, the plugin’s files are written to `~/.openclaw/` instead of the intended ~/openclaw/extensions/, potentially overwriting critical state files.
Protection from this CVE:
Upgrade to OpenClaw version 2026.2.1 or later. The fix implements validation as shown in the patch commit.
// Example of fixed validation logic (conceptual, based on commit d03eca84)
function validateAndGetInstallPath(extensionsDir, pluginManifestName) {
const unscopedName = pluginManifestName.split('/').pop();
// Reject any name containing path traversal sequences
if (unscopedName.includes('..') || unscopedName.includes('\') || unscopedName.includes('/')) {
throw new Error('Invalid plugin name');
}
const targetPath = path.join(extensionsDir, unscopedName);
// Ensure the resolved path is still within extensionsDir
if (!targetPath.startsWith(path.resolve(extensionsDir))) {
throw new Error('Path traversal attempt detected');
}
return targetPath;
}
Impact:
Successful exploitation allows an attacker to write files outside the intended plugin directory. This can lead to:
– Overwriting configuration files in the OpenClaw state directory (~/.openclaw/), potentially altering application behavior.
– On Windows, the use of backslashes (\\) could enable traversal into system directories, within the user’s privilege context, leading to broader system compromise.
– The attack requires an operator to install a malicious plugin, limiting but not eliminating the risk, especially in environments where plugin installation is automated or less scrutinized.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

