Vulnerability in Openclaw
CVE-2026-32044
OpenClaw versions prior to 2026.3.2 contain an archive extraction vulnerability in the tar.bz2 installer path that bypasses safety checks enforced on other archive formats. Attackers can craft malicious tar.bz2 skill archives to bypass spe…
EPSS: 0.000 (3.8th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 5.5 (Medium). Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H.
Affected products
- Openclaw — versions 0, 2026.3.2
Weakness classification (CWE)
References
- GitHub Security Advisory (GHSA-77hf-7fqf-f227) (third-party-advisory)
- Patch Commit (patch)
- VulnCheck Advisory: OpenClaw < 2026.3.2 - Tar Archive Safety Bypass in Skills Installation (third-party-advisory)
Frequently asked questions
- What is CVE-2026-32044?
- CVE-2026-32044 is a medium-severity vulnerability in Openclaw, classified under Improper Handling of Highly Compressed Data (Data Amplification). CVSS score: 5.5/10. Published 2026-03-21.
- How severe is CVE-2026-32044?
- Medium severity. CVSS v3 base score is 5.5 out of 10.