Cyber Resilience

CVE-2026-28482

HighPublic PoC

Published: 05 March 2026

Published
05 March 2026
Modified
23 March 2026
KEV Added
Patch
CVSS Score v4 8.4 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0014 3.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-28482 is a high-severity Path Traversal (CWE-22) vulnerability in Openclaw Openclaw. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique /etc/passwd and /etc/shadow (T1003.008); ranked at the 3.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-28482 is a path traversal vulnerability (CWE-22) in OpenClaw versions prior to 2026.2.12. The flaw occurs because the software constructs transcript file paths using unsanitized sessionId parameters and sessionFile paths without enforcing directory containment, enabling exploitation via path traversal sequences.

Authenticated attackers with low privileges can exploit this vulnerability locally with low complexity and no user interaction required. By injecting sequences like ../../etc/passwd into sessionId or sessionFile parameters, they can read or write arbitrary files outside the agent sessions directory, achieving high confidentiality and integrity impacts as reflected in the CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

Mitigation is addressed in OpenClaw patches via GitHub commits 4199f9889f0c307b77096a229b9e085b8d856c26 and cab0abf52ac91e12ea7a0cf04fff315cf0c94d64, detailed in the project's security advisory GHSA-5xfq-5mr7-426q. Affected users should upgrade to version 2026.2.12 or later, with further analysis available in the VulnCheck advisory.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenClaw versions prior to 2026.2.12 construct transcript file paths using unsanitized sessionId parameters and sessionFile paths without enforcing directory containment. Authenticated attackers can exploit path traversal sequences like ../../etc/passwd in sessionId or sessionFile parameters to read or write arbitrary files…

more

outside the agent sessions directory.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1003.008 /etc/passwd and /etc/shadow Credential Access
Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Path traversal enables direct arbitrary file read (e.g. /etc/passwd/shadow) for credential dumping and local data collection plus arbitrary file write for stored data manipulation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35668Same product: Openclaw Openclaw
CVE-2026-28457Same product: Openclaw Openclaw
CVE-2026-28462Same product: Openclaw Openclaw
CVE-2026-33581Same product: Openclaw Openclaw
CVE-2026-32026Same product: Openclaw Openclaw
CVE-2026-32846Same product: Openclaw Openclaw
CVE-2026-32030Same product: Openclaw Openclaw
CVE-2026-32033Same product: Openclaw Openclaw
CVE-2026-41383Same product: Openclaw Openclaw
CVE-2026-27523Same product: Openclaw Openclaw

Affected Assets

openclaw
openclaw
≤ 2026.2.12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of sessionId and sessionFile inputs to reject path traversal sequences such as ../../ before file paths are constructed.

prevent

Enforces that only files inside the designated agent sessions directory may be read or written, blocking the unauthorized access achieved by the traversal.

detect

Enables monitoring and alerting on anomalous file-access attempts that reference paths outside the expected sessions directory.

References