CVE-2026-28459 | THREATINT

Description

OpenClaw versions prior to 2026.2.12 fail to validate the sessionFile path parameter, allowing authenticated gateway clients to write transcript data to arbitrary locations on the host filesystem. Attackers can supply a sessionFile path outside the sessions directory to create files and append data repeatedly, potentially causing configuration corruption or denial of service.

PUBLISHED Reserved 2026-02-27 | Published 2026-03-05 | Updated 2026-03-09 | Assigner VulnCheck

HIGH: 7.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

HIGH: 7.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Problem types

External Control of File Name or Path

Product status

Default status

unaffected

Any version before 2026.2.12

affected

Credits

Tuba Deligoz (@tubadeligoz) reporter

References

github.com/...enclaw/security/advisories/GHSA-64qx-vpxx-mvqf (GitHub Security Advisory (GHSA-64qx-vpxx-mvqf)) vendor-advisory

github.com/...ommit/4199f9889f0c307b77096a229b9e085b8d856c26 (Patch Commit #1) patch

github.com/...ommit/25950bcbb8ba4d8cde002557f6e27c219ae4deda (Patch Commit #2) patch

www.vulncheck.com/...le-write-via-untrusted-sessionfile-path (VulnCheck Advisory: OpenClaw < 2026.2.12 - Arbitrary File Write via Untrusted sessionFile Path) third-party-advisory

cve.org (CVE-2026-28459)

nvd.nist.gov (CVE-2026-28459)

Download JSON