Back to Vulnerability List

OpenClaw: Path Traversal in Browser Trace/Download Output Paths

CVE-2026-28462 High Published

CVSS

7.5 High · Network · No PR

EPSS

0.00066 0.1% chance of exploit in 30d

CWE

CWE-22 Path Traversal

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

Per GHSA-gq9c-wg68-gwj2: “OpenClaw’s browser control API accepted user-supplied output paths for trace/download files without consistently constraining writes to OpenClaw-managed temporary directories.”

Affected Packages / Versions

Package: openclaw (npm)
Latest published version at triage time: Prior to 2026.2.13
Affected range: Per GHSA-gq9c-wg68-gwj2: openclaw < 2026.2.13
Patched version: OpenClaw 2026.2.13

Impact

Per GHSA: “If an attacker can access the browser control API, they could attempt to write trace/download output files outside intended temp roots, depending on process filesystem permissions.” Per NVD: traversal is reachable via POST /trace/stop, POST /wait/download, and POST /download endpoints.

Severity Rationale

GHSA severity: HIGH. NVD CVSS 7.5 (High): network AV, low complexity, no privileges or UI, confidentiality-only per the vector.

Fix

Per GHSA: “Upgrade to 2026.2.13 or later. The fix constrains output paths” (continues — see source).

Disclosure timeline

TBDReported to vendor
TBDPatch released (OpenClaw 2026.2.13)
Feb 18, 2026GHSA-gq9c-wg68-gwj2 published

Fix Commit(s)

7f0489e4731c

References

Discovered by Adnan Jakati · Published April 29, 2026

Praetorian Guard Platform

Penetration Testing Services

Advanced Offensive Security

Continuous Offensive Security

Customer Case Studies

Resources

Use Cases

About Praetorian

Join Praetorian