CVE-2026-28483: OpenClaw: ZIP extraction race could write outside destination via parent symlink rebind

March 3, 2026 (updated March 23, 2026)

ZIP extraction in OpenClaw could be raced into writing outside the intended destination directory via parent-directory symlink rebind between validation and write.

References

github.com/advisories/GHSA-r54r-wmmq-mh84
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/7dac9b05dd9d38dd3929637f26fa356fd8bdd107
github.com/openclaw/openclaw/security/advisories/GHSA-r54r-wmmq-mh84
nvd.nist.gov/vuln/detail/CVE-2026-28483

Code Behaviors & Features

Detect and mitigate CVE-2026-28483 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →