Cyber Posture

CVE-2026-28453

HighPublic PoC

Published: 05 March 2026

Published
05 March 2026
Modified
09 March 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0009 25.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28453 is a high-severity Path Traversal (CWE-22) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190).
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-10 Information Input Validation
addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Remote unauthenticated path traversal in archive extraction directly enables exploitation of a public-facing application (T1190) to achieve arbitrary file writes outside intended directories, with potential for code execution or tampering based on write location.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

OpenClaw versions prior to 2026.2.14 fail to validate TAR archive entry paths during extraction, allowing path traversal sequences to write files outside the intended directory. Attackers can craft malicious archives with traversal sequences like ../../ to write files outside extraction…

more

boundaries, potentially enabling configuration tampering and code execution.

Deeper analysisAI

CVE-2026-28453 is a path traversal vulnerability (CWE-22) in OpenClaw versions prior to 2026.2.14, stemming from inadequate validation of TAR archive entry paths during extraction. This flaw allows traversal sequences, such as ../../, to direct file writes outside the intended extraction directory. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and was published on 2026-03-05.

Attackers can exploit this issue by crafting malicious TAR archives containing traversal sequences and tricking victims into extracting them. Given the CVSS vector, exploitation is feasible remotely by unauthenticated attackers with low complexity and no user interaction required. Successful attacks enable writing arbitrary files outside extraction boundaries, potentially leading to configuration tampering or code execution depending on write locations and privileges.

Advisories and the associated patch reference recommend upgrading to OpenClaw version 2026.2.14 or later, where a fix was implemented via commit 3aa94afcfd12104c683c9cad81faf434d0dadf87. Additional details are available in the GitHub security advisory (GHSA-p25h-9q54-ffvw) and VulnCheck advisory on the ZIP slip-style path traversal in TAR extraction.

Details

CWE(s)
CWE-22

Affected Products

openclaw
openclaw
≤ 2026.2.14

CVEs Like This One

CVE-2026-22171Same product: Openclaw Openclaw
CVE-2026-32030Same product: Openclaw Openclaw
CVE-2026-33581Same product: Openclaw Openclaw
CVE-2026-28462Same product: Openclaw Openclaw
CVE-2026-32026Same product: Openclaw Openclaw
CVE-2026-32036Same product: Openclaw Openclaw
CVE-2026-32055Same product: Openclaw Openclaw
CVE-2026-32846Same product: Openclaw Openclaw
CVE-2026-32033Same product: Openclaw Openclaw
CVE-2026-28457Same product: Openclaw Openclaw

References