CVE-2026-28482

OpenClaw versions prior to 2026.2.12 construct transcript file paths using unsanitized sessionId parameters and sessionFile paths without enforcing directory containment. Authenticated attackers can exploit path traversal sequences like ../../etc/passwd in sessionId or sessionFile parameters to read or write arbitrary files outside the agent sessions directory.

CVSS v3 7.1 HIGH

7.1^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.2

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/openclaw/openclaw/commit/4199f9889f0c307b77096a229b9e085b8d856c26	Patch
https://github.com/openclaw/openclaw/commit/cab0abf52ac91e12ea7a0cf04fff315cf0c94d64	Patch
https://github.com/openclaw/openclaw/security/advisories/GHSA-5xfq-5mr7-426q	Vendor Advisory
https://www.vulncheck.com/advisories/openclaw-path-traversal-via-unsanitized-sessionid-and-sessionfile-parameters	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

History

23 Mar 2026, 14:17

Type	Values Removed	Values Added
References	~~() https://github.com/openclaw/openclaw/commit/4199f9889f0c307b77096a229b9e085b8d856c26 -~~	() https://github.com/openclaw/openclaw/commit/4199f9889f0c307b77096a229b9e085b8d856c26 - Patch
References	~~() https://github.com/openclaw/openclaw/commit/cab0abf52ac91e12ea7a0cf04fff315cf0c94d64 -~~	() https://github.com/openclaw/openclaw/commit/cab0abf52ac91e12ea7a0cf04fff315cf0c94d64 - Patch
References	~~() https://github.com/openclaw/openclaw/security/advisories/GHSA-5xfq-5mr7-426q -~~	() https://github.com/openclaw/openclaw/security/advisories/GHSA-5xfq-5mr7-426q - Vendor Advisory
References	~~() https://www.vulncheck.com/advisories/openclaw-path-traversal-via-unsanitized-sessionid-and-sessionfile-parameters -~~	() https://www.vulncheck.com/advisories/openclaw-path-traversal-via-unsanitized-sessionid-and-sessionfile-parameters - Third Party Advisory
CPE		cpe:2.3:a:openclaw:openclaw::::::node.js::*
First Time		Openclaw openclaw Openclaw

09 Mar 2026, 13:36

Type	Values Removed	Values Added
Summary		(es) Versiones de OpenClaw anteriores a 2026.2.12 construyen rutas de archivos de transcripción utilizando parámetros sessionId no saneados y rutas sessionFile sin aplicar la contención de directorios. Atacantes autenticados pueden explotar secuencias de salto de ruta como .. /.. /etc /passwd en los parámetros sessionId o sessionFile para leer o escribir archivos arbitrarios fuera del directorio de sesiones del agente.

06 Mar 2026, 17:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~6.5~~	v2 : unknown v3 : 7.1

05 Mar 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-05 22:16

Updated : 2026-03-23 14:17

NVD link : CVE-2026-28482

Mitre link : CVE-2026-28482

CVE.ORG link : CVE-2026-28482

JSON object : View

Products Affected

openclaw

openclaw

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

7.1 /10