CVE-2026-28459
Published: 05 March 2026
Summary
CVE-2026-28459 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Stored Data Manipulation (T1565.001); ranked at the 15.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Rejects externally supplied file or resource identifiers that fail validity checks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal enables arbitrary file writes/appends outside intended directory, directly facilitating stored data manipulation (config corruption) and endpoint DoS (filesystem exhaustion).
NVD Description
OpenClaw versions prior to 2026.2.12 fail to validate the sessionFile path parameter, allowing authenticated gateway clients to write transcript data to arbitrary locations on the host filesystem. Attackers can supply a sessionFile path outside the sessions directory to create files…
more
and append data repeatedly, potentially causing configuration corruption or denial of service.
Deeper analysisAI
CVE-2026-28459 is a path traversal vulnerability (CWE-73) in OpenClaw versions prior to 2026.2.12, stemming from inadequate validation of the sessionFile path parameter. This flaw affects the gateway client component, which handles transcript data writes to the host filesystem. Without proper checks, the parameter allows paths outside the intended sessions directory, enabling unauthorized file operations.
Authenticated attackers with gateway client access (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). By supplying a malicious sessionFile path, they achieve arbitrary file writes, creating new files or repeatedly appending data. This leads to configuration file corruption (I:L) or denial of service through filesystem exhaustion (A:H), as indicated by the CVSS v3.1 base score of 7.1 (C:N/I:L/A:H/S:U).
Mitigation requires upgrading to OpenClaw 2026.2.12 or later, where the issue is addressed via commits such as 25950bcbb8ba4d8cde002557f6e27c219ae4deda and 4199f9889f0c307b77096a229b9e085b8d856c26. Additional details are available in the GitHub Security Advisory GHSA-64qx-vpxx-mvqf and VulnCheck advisory at https://www.vulncheck.com/advisories/openclaw-arbitrary-file-write-via-untrusted-sessionfile-path.
Details
- CWE(s)