CVE-2026-28459

OpenClaw versions prior to 2026.2.12 fail to validate the sessionFile path parameter, allowing authenticated gateway clients to write transcript data to arbitrary locations on the host filesystem. Attackers can supply a sessionFile path outside the sessions directory to create files and append data repeatedly, potentially causing configuration corruption or denial of service.

CVSS v3 7.1 HIGH

7.1^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/openclaw/openclaw/commit/25950bcbb8ba4d8cde002557f6e27c219ae4deda	Patch
https://github.com/openclaw/openclaw/commit/4199f9889f0c307b77096a229b9e085b8d856c26	Patch
https://github.com/openclaw/openclaw/security/advisories/GHSA-64qx-vpxx-mvqf	Vendor Advisory Patch
https://www.vulncheck.com/advisories/openclaw-arbitrary-file-write-via-untrusted-sessionfile-path	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

History

09 Mar 2026, 17:39

Type	Values Removed	Values Added
References	~~() https://github.com/openclaw/openclaw/commit/25950bcbb8ba4d8cde002557f6e27c219ae4deda -~~	() https://github.com/openclaw/openclaw/commit/25950bcbb8ba4d8cde002557f6e27c219ae4deda - Patch
References	~~() https://github.com/openclaw/openclaw/commit/4199f9889f0c307b77096a229b9e085b8d856c26 -~~	() https://github.com/openclaw/openclaw/commit/4199f9889f0c307b77096a229b9e085b8d856c26 - Patch
References	~~() https://github.com/openclaw/openclaw/security/advisories/GHSA-64qx-vpxx-mvqf -~~	() https://github.com/openclaw/openclaw/security/advisories/GHSA-64qx-vpxx-mvqf - Vendor Advisory, Patch
References	~~() https://www.vulncheck.com/advisories/openclaw-arbitrary-file-write-via-untrusted-sessionfile-path -~~	() https://www.vulncheck.com/advisories/openclaw-arbitrary-file-write-via-untrusted-sessionfile-path - Third Party Advisory
First Time		Openclaw openclaw Openclaw
CPE		cpe:2.3:a:openclaw:openclaw::::::node.js::*

09 Mar 2026, 13:36

Type	Values Removed	Values Added
Summary		(es) Las versiones de OpenClaw anteriores a la 2026.2.12 no validan el parámetro de ruta sessionFile, lo que permite a los clientes de pasarela autenticados escribir datos de transcripción en ubicaciones arbitrarias del sistema de archivos del host. Los atacantes pueden proporcionar una ruta de sessionFile fuera del directorio de sesiones para crear archivos y añadir datos repetidamente, lo que podría causar corrupción de la configuración o denegación de servicio.

06 Mar 2026, 17:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~6.5~~	v2 : unknown v3 : 7.1

05 Mar 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-05 22:16

Updated : 2026-03-09 17:39

NVD link : CVE-2026-28459

Mitre link : CVE-2026-28459

CVE.ORG link : CVE-2026-28459

JSON object : View

Products Affected

openclaw

openclaw

CWE

CWE-73

External Control of File Name or Path

7.1 /10