REPRO-2026-00094 CRITICAL RCE Verified

OpenClaw: Path Traversal in Plugin Installation

openclaw (npm) Feb 19, 2026

Confidence HIGH

Reproduced in 7m 36s

Tool calls 59

Affected >= 2026.1.20, < 2026.2.1

What's the vulnerability?

OpenClaw's plugin installation path derivation could be abused by a malicious plugin package.json name to escape the intended extensions directory and write files to a parent directory.

Root Cause Analysis

One Command

Verify with pruva-verify

Run the Pruva CLI to automatically fetch and execute the reproduction script.

pruva-verify REPRO-2026-00094

or pruva-verify GHSA-qrq5-wjgg-rvqw

Install: curl -fsSL https://pruva.dev/install.sh | sh

Or Run Manually

Download the script

curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00094/artifacts/repro/reproduction_steps.sh

Make executable

chmod +x reproduction_steps.sh

Run the script

./reproduction_steps.sh

Run in a VM, container, or disposable environment. This exploits a real vulnerability.

How Pruva Reproduced This

Watch the AI agent's step-by-step process.

Loading session...

Artifacts

repro/reproduction_steps.sh2.7 KB

repro/rca_report.md4.0 KB

bundle/ticket.json8.5 KB

bundle/ticket.md2.9 KB

bundle/source.json5.0 KB

logs/actual_package_test.log2.7 KB

logs/variant_analysis.log7.0 KB

logs/reproduction.log1.1 KB