Cyber Resilience

CVE-2026-28457

MediumPublic PoC

Published: 05 March 2026

Published
05 March 2026
Modified
09 March 2026
KEV Added
Patch
CVSS Score v4 5.6 CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0005 15.7th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28457 is a medium-severity Path Traversal (CWE-22) vulnerability in Openclaw Openclaw. Its CVSS base score is 5.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Escape to Host (T1611); ranked at the 15.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-28457, published on 2026-03-05, is a path traversal vulnerability (CWE-22) in OpenClaw versions prior to 2026.2.14. The flaw affects the sandbox skill mirroring feature, which must be explicitly enabled, due to unsanitized use of the skill frontmatter name parameter during skill copying into the sandbox workspace. Attackers can exploit this by crafting skill packages with traversal sequences such as ../ or absolute paths in the name field, enabling file writes outside the sandbox workspace root directory. The vulnerability carries a CVSS v3.1 base score of 6.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L).

Exploitation requires local access (AV:L) with low complexity (AC:L) and no privileges (PR:N), but depends on user interaction (UI:R), such as enabling sandbox skill mirroring and installing a malicious skill package. A successful attack allows file writes beyond the sandbox boundaries, resulting in high integrity impact (I:H) like overwriting critical files, alongside low availability impact (A:L), with no confidentiality loss (C:N).

Advisories recommend updating to OpenClaw 2026.2.14 or later to mitigate the issue, as evidenced by the patching commit at https://github.com/openclaw/openclaw/commit/3eb6a31b6fcf8268456988bfa8e3637d373438c2 and the GitHub security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-xw4p-pw82-hqr7. Further technical details on the path traversal in sandbox skill mirroring via the name parameter are provided in the VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-path-traversal-in-sandbox-skill-mirroring-via-name-parameter.

EU & UK References

Vulnerability details

OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in sandbox skill mirroring (must be enabled) that uses the skill frontmatter name parameter unsanitized when copying skills into the sandbox workspace. Attackers who provide a crafted skill package with…

more

traversal sequences like ../ or absolute paths in the name field can write files outside the sandbox workspace root directory.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1611 Escape to Host Privilege Escalation
Adversaries may break out of a container or virtualized environment to gain access to the underlying host.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Path traversal in sandbox skill mirroring directly allows writes outside workspace root, enabling sandbox escape to host (T1611) and arbitrary stored data manipulation via file overwrites (T1565.001).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-32007Same product: Openclaw Openclaw
CVE-2026-41383Same product: Openclaw Openclaw
CVE-2026-27523Same product: Openclaw Openclaw
CVE-2026-28482Same product: Openclaw Openclaw
CVE-2026-28453Same product: Openclaw Openclaw
CVE-2026-31990Same product: Openclaw Openclaw
CVE-2026-32846Same product: Openclaw Openclaw
CVE-2026-32033Same product: Openclaw Openclaw
CVE-2026-32026Same product: Openclaw Openclaw
CVE-2026-35668Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.2.14

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the skill frontmatter name parameter to reject path traversal sequences before any file copy occurs.

prevent

Enforces that all file-write operations remain confined to the authorized sandbox workspace root, blocking writes outside that boundary.

prevent

Controls information flow so that data originating from an untrusted skill package cannot escape the sandbox via crafted paths.

References