Cyber Resilience

CVE-2026-28453

HighPublic PoC

Published: 05 March 2026

Published
05 March 2026
Modified
09 March 2026
KEV Added
Patch
CVSS Score v4 8.3 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0041 32.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-28453 is a high-severity Path Traversal (CWE-22) vulnerability in Openclaw Openclaw. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-28453 is a path traversal vulnerability (CWE-22) in OpenClaw versions prior to 2026.2.14, stemming from inadequate validation of TAR archive entry paths during extraction. This flaw allows traversal sequences, such as ../../, to direct file writes outside the intended extraction directory. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and was published on 2026-03-05.

Attackers can exploit this issue by crafting malicious TAR archives containing traversal sequences and tricking victims into extracting them. Given the CVSS vector, exploitation is feasible remotely by unauthenticated attackers with low complexity and no user interaction required. Successful attacks enable writing arbitrary files outside extraction boundaries, potentially leading to configuration tampering or code execution depending on write locations and privileges.

Advisories and the associated patch reference recommend upgrading to OpenClaw version 2026.2.14 or later, where a fix was implemented via commit 3aa94afcfd12104c683c9cad81faf434d0dadf87. Additional details are available in the GitHub security advisory (GHSA-p25h-9q54-ffvw) and VulnCheck advisory on the ZIP slip-style path traversal in TAR extraction.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenClaw versions prior to 2026.2.14 fail to validate TAR archive entry paths during extraction, allowing path traversal sequences to write files outside the intended directory. Attackers can craft malicious archives with traversal sequences like ../../ to write files outside extraction…

more

boundaries, potentially enabling configuration tampering and code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated path traversal in archive extraction directly enables exploitation of a public-facing application (T1190) to achieve arbitrary file writes outside intended directories, with potential for code execution or tampering based on write location.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22171Same product: Openclaw Openclaw
CVE-2026-28462Same product: Openclaw Openclaw
CVE-2026-33581Same product: Openclaw Openclaw
CVE-2026-32055Same product: Openclaw Openclaw
CVE-2026-32026Same product: Openclaw Openclaw
CVE-2026-32846Same product: Openclaw Openclaw
CVE-2026-32036Same product: Openclaw Openclaw
CVE-2026-32030Same product: Openclaw Openclaw
CVE-2026-32033Same product: Openclaw Openclaw
CVE-2026-32924Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.2.14

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of TAR archive entry paths to block path traversal sequences like ../../ during extraction.

prevent

Mandates timely identification, reporting, and patching of the specific path traversal flaw in OpenClaw versions prior to 2026.2.14.

detect

Enables integrity checks on files and configurations to identify unauthorized writes outside intended directories from exploitation.

References