CVE-2026-28453
Published: 05 March 2026
Summary
CVE-2026-28453 is a high-severity Path Traversal (CWE-22) vulnerability in Openclaw Openclaw. Its CVSS base score is 8.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-28453 is a path traversal vulnerability (CWE-22) in OpenClaw versions prior to 2026.2.14, stemming from inadequate validation of TAR archive entry paths during extraction. This flaw allows traversal sequences, such as ../../, to direct file writes outside the intended extraction directory. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and was published on 2026-03-05.
Attackers can exploit this issue by crafting malicious TAR archives containing traversal sequences and tricking victims into extracting them. Given the CVSS vector, exploitation is feasible remotely by unauthenticated attackers with low complexity and no user interaction required. Successful attacks enable writing arbitrary files outside extraction boundaries, potentially leading to configuration tampering or code execution depending on write locations and privileges.
Advisories and the associated patch reference recommend upgrading to OpenClaw version 2026.2.14 or later, where a fix was implemented via commit 3aa94afcfd12104c683c9cad81faf434d0dadf87. Additional details are available in the GitHub security advisory (GHSA-p25h-9q54-ffvw) and VulnCheck advisory on the ZIP slip-style path traversal in TAR extraction.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9902
Vulnerability details
OpenClaw versions prior to 2026.2.14 fail to validate TAR archive entry paths during extraction, allowing path traversal sequences to write files outside the intended directory. Attackers can craft malicious archives with traversal sequences like ../../ to write files outside extraction…
more
boundaries, potentially enabling configuration tampering and code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated path traversal in archive extraction directly enables exploitation of a public-facing application (T1190) to achieve arbitrary file writes outside intended directories, with potential for code execution or tampering based on write location.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of TAR archive entry paths to block path traversal sequences like ../../ during extraction.
Mandates timely identification, reporting, and patching of the specific path traversal flaw in OpenClaw versions prior to 2026.2.14.
Enables integrity checks on files and configurations to identify unauthorized writes outside intended directories from exploitation.