CVE-2026-28462
Published: 05 March 2026
Summary
CVE-2026-28462 is a high-severity Path Traversal (CWE-22) vulnerability in Openclaw Openclaw. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-9 (Information Input Restrictions).
Deeper analysis
CVE-2026-28462, published on 2026-03-05, is a path traversal vulnerability (CWE-22) in the browser control API of OpenClaw versions prior to 2026.2.13. The flaw occurs because the API accepts user-supplied output paths for trace and download files without consistently constraining writes to temporary directories. This enables exploitation through the POST /trace/stop, POST /wait/download, and POST /download endpoints.
Remote attackers with API access and no required privileges (PR:N) can exploit the vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows writing files outside the intended temporary roots, resulting in high confidentiality impact (C:H) but no integrity (I:N) or availability (A:N) effects, as reflected in its CVSS 3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Mitigation details are provided in advisories from GitHub (GHSA-gq9c-wg68-gwj2) and VulnCheck, along with a fixing commit at https://github.com/openclaw/openclaw/commit/7f0489e4731c8d965d78d6eac4a60312e46a9426. Affected users should upgrade to OpenClaw 2026.2.13 or later to address the issue.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9908
Vulnerability details
OpenClaw versions prior to 2026.2.13 contain a vulnerability in the browser control API in which it accepts user-supplied output paths for trace and download files without consistently constraining writes to temporary directories. Attackers with API access can exploit path traversal…
more
in POST /trace/stop, POST /wait/download, and POST /download endpoints to write files outside intended temp roots.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public browser-control API enables remote exploitation of exposed endpoints (T1190) to write app-generated trace/download data outside intended directories; placement in accessible locations directly facilitates retrieval of sensitive local system data (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of user-supplied output paths in the browser control API endpoints to ensure they remain within intended temporary directories, directly preventing path traversal exploits.
Restricts classes of user-supplied file paths in POST /trace/stop, /wait/download, and /download endpoints to block traversal sequences like '../', stopping unauthorized writes outside temp roots.
Enforces access control policies on file system operations to limit writes to authorized temporary directories, addressing the failure to constrain API-driven file placements.