CVE-2026-28462
Published: 05 March 2026
Summary
CVE-2026-28462 is a high-severity Path Traversal (CWE-22) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public browser-control API enables remote exploitation of exposed endpoints (T1190) to write app-generated trace/download data outside intended directories; placement in accessible locations directly facilitates retrieval of sensitive local system data (T1005).
NVD Description
OpenClaw versions prior to 2026.2.13 contain a vulnerability in the browser control API in which it accepts user-supplied output paths for trace and download files without consistently constraining writes to temporary directories. Attackers with API access can exploit path traversal…
more
in POST /trace/stop, POST /wait/download, and POST /download endpoints to write files outside intended temp roots.
Deeper analysisAI
CVE-2026-28462, published on 2026-03-05, is a path traversal vulnerability (CWE-22) in the browser control API of OpenClaw versions prior to 2026.2.13. The flaw occurs because the API accepts user-supplied output paths for trace and download files without consistently constraining writes to temporary directories. This enables exploitation through the POST /trace/stop, POST /wait/download, and POST /download endpoints.
Remote attackers with API access and no required privileges (PR:N) can exploit the vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows writing files outside the intended temporary roots, resulting in high confidentiality impact (C:H) but no integrity (I:N) or availability (A:N) effects, as reflected in its CVSS 3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Mitigation details are provided in advisories from GitHub (GHSA-gq9c-wg68-gwj2) and VulnCheck, along with a fixing commit at https://github.com/openclaw/openclaw/commit/7f0489e4731c8d965d78d6eac4a60312e46a9426. Affected users should upgrade to OpenClaw 2026.2.13 or later to address the issue.
Details
- CWE(s)