OpenClaw, an npm package for SSH-based sandboxed file transfers, ships a critical flaw in versions up to 2026.3.28. Attackers can craft tar archives with symlinks that escape the sandbox, writing files anywhere on the remote host. Maintainers rate it high severity and confirmed it affects shipped code. The fix landed March 31, 2026, in commit 3d5af14984ac1976c747a8e11581d697bd0829dc, but the triage remains open as of latest reports.
This vulnerability strikes at the core of OpenClaw’s security model. The package handles tar uploads over SSH into a chrooted or namespaced sandbox, meant to isolate file operations. Without symlink checks before extraction, an attacker uploads a tar containing a symlink pointing outside the sandbox—say, to /etc/passwd or a web root. When OpenClaw extracts it, the symlink resolves on the remote filesystem, overwriting targets with malicious data.
Technical Breakdown
Tar symlink attacks are old but persistent. Tools like GNU tar offer flags such as --no-same-owner or --no-overwrite-dir, yet OpenClaw’s pre-fix code lacked pre-upload validation. An exploit archive might include a symlink ../../etc/shadow inside the sandbox path, paired with a regular file. Extraction follows the link, dumping contents remotely.
Proof-of-concept is straightforward. Attacker creates:
ln -s /target/path/on/remote symlink_in_sandbox
tar -cf exploit.tar symlink_in_sandbox malicious_file.txt
Upload via OpenClaw’s SSH mechanism extracts it, writing malicious_file.txt to /target/path/on/remote. No privilege escalation needed beyond upload access. @AntAISecurityLab reported it, and maintainers merged the rejection logic on 2026-03-31T19:56:45+09:00.
OpenClaw targets secure deployments—think CI/CD pipelines or remote config pushes. Version 2026.3.28 was publicly available on npm, exposing users running automated transfers. Check your package.json: vulnerable range is <=2026.3.28; patched starts at 2026.3.31.
Impact and Why It Matters
Arbitrary writes mean real damage. Overwrite SSH host keys? Disable logins. Hit web servers? Plant backdoors. In crypto or finance setups—where Njalla clients operate—this escalates to RCE if you write executables or configs. Remote hosts often run as root or high-priv users for sandboxes, amplifying blast radius.
Npm’s 2 million+ packages make supply chain hits routine. OpenClaw’s niche (SSH tar sandboxes) flies under radar, but if your stack uses it for deploys, you’re exposed. Skeptical note: maintainers accepted the fix fast, crediting the reporter, but triage lingers open. Latest npm version 2026.3.31 includes it—verify with npm ls openclaw. Still, unreleased tags raise flags on release hygiene.
Beyond OpenClaw, this highlights tar pitfalls in remote tools. SSH sandboxes aim to contain, but symlink traversal bypasses chroot if extraction naively follows links. Industry lags: similar bugs hit rsync, scp wrappers, even Docker layers historically. Attackers chain this with phishing uploads or compromised CI.
Fix and Recommendations
Update immediately: npm update openclaw targets >=2026.3.31. Inspect the commit—it adds symlink escape rejection pre-upload, scanning archive paths against sandbox bounds. Test your setup post-upgrade; false positives could block legit transfers.
Mitigate now: Disable tar uploads if unused. Run extractions as low-priv user with --one-file-system in custom scripts. Audit dependencies with npm audit or tools like Snyk. For high-stakes remote ops, ditch npm wrappers—use battle-tested rsync --safe-links or scp with explicit paths.
Why care? One symlink slips through, and your remote server becomes attacker playground. In security-focused ops, this isn’t hypothetical—it’s shipped code with high-severity triage. Act before exploitation vectors spread on GitHub or exploit-db.
