Home

Description

OpenClaw versions prior to 2026.2.12 construct transcript file paths using unsanitized sessionId parameters and sessionFile paths without enforcing directory containment. Authenticated attackers can exploit path traversal sequences like ../../etc/passwd in sessionId or sessionFile parameters to read or write arbitrary files outside the agent sessions directory.

PUBLISHED Reserved 2026-02-27 | Published 2026-03-05 | Updated 2026-03-06 | Assigner VulnCheck




HIGH: 8.4CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

HIGH: 7.1CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Problem types

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
unaffected

Any version before 2026.2.12
affected

Credits

AM (@akhmittra) reporter

References

github.com/...enclaw/security/advisories/GHSA-5xfq-5mr7-426q (GitHub Security Advisory (GHSA-5xfq-5mr7-426q)) vendor-advisory

github.com/...ommit/4199f9889f0c307b77096a229b9e085b8d856c26 (Patch Commit) patch

github.com/...ommit/cab0abf52ac91e12ea7a0cf04fff315cf0c94d64 (Hardening Commit) patch

www.vulncheck.com/...ed-sessionid-and-sessionfile-parameters (VulnCheck Advisory: OpenClaw < 2026.2.12 - Path Traversal via Unsanitized sessionId and sessionFile Parameters) third-party-advisory

cve.org (CVE-2026-28482)

nvd.nist.gov (CVE-2026-28482)

Download JSON