Home

Description

OpenClaw versions prior to 2026.2.13 contain a vulnerability in the browser control API in which it accepts user-supplied output paths for trace and download files without consistently constraining writes to temporary directories. Attackers with API access can exploit path traversal in POST /trace/stop, POST /wait/download, and POST /download endpoints to write files outside intended temp roots.

PUBLISHED Reserved 2026-02-27 | Published 2026-03-05 | Updated 2026-03-05 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
unaffected

Any version before 2026.2.13
affected

Credits

Adnan Jakati (@jackhax) reporter

References

github.com/...enclaw/security/advisories/GHSA-gq9c-wg68-gwj2 (GitHub Security Advisory (GHSA-gq9c-wg68-gwj2)) vendor-advisory

github.com/...ommit/7f0489e4731c8d965d78d6eac4a60312e46a9426 (Patch Commit) patch

www.vulncheck.com/...rsal-in-trace-and-download-output-paths (VulnCheck Advisory: OpenClaw < 2026.2.13 - Path Traversal in Trace and Download Output Paths) third-party-advisory

cve.org (CVE-2026-28462)

nvd.nist.gov (CVE-2026-28462)

Download JSON