CVE-2026-28482
Published: 05 March 2026
Summary
CVE-2026-28482 is a high-severity Path Traversal (CWE-22) vulnerability in Openclaw Openclaw. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique /etc/passwd and /etc/shadow (T1003.008); ranked at the 3.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-28482 is a path traversal vulnerability (CWE-22) in OpenClaw versions prior to 2026.2.12. The flaw occurs because the software constructs transcript file paths using unsanitized sessionId parameters and sessionFile paths without enforcing directory containment, enabling exploitation via path traversal sequences.
Authenticated attackers with low privileges can exploit this vulnerability locally with low complexity and no user interaction required. By injecting sequences like ../../etc/passwd into sessionId or sessionFile parameters, they can read or write arbitrary files outside the agent sessions directory, achieving high confidentiality and integrity impacts as reflected in the CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
Mitigation is addressed in OpenClaw patches via GitHub commits 4199f9889f0c307b77096a229b9e085b8d856c26 and cab0abf52ac91e12ea7a0cf04fff315cf0c94d64, detailed in the project's security advisory GHSA-5xfq-5mr7-426q. Affected users should upgrade to version 2026.2.12 or later, with further analysis available in the VulnCheck advisory.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9928
Vulnerability details
OpenClaw versions prior to 2026.2.12 construct transcript file paths using unsanitized sessionId parameters and sessionFile paths without enforcing directory containment. Authenticated attackers can exploit path traversal sequences like ../../etc/passwd in sessionId or sessionFile parameters to read or write arbitrary files…
more
outside the agent sessions directory.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal enables direct arbitrary file read (e.g. /etc/passwd/shadow) for credential dumping and local data collection plus arbitrary file write for stored data manipulation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of sessionId and sessionFile inputs to reject path traversal sequences such as ../../ before file paths are constructed.
Enforces that only files inside the designated agent sessions directory may be read or written, blocking the unauthorized access achieved by the traversal.
Enables monitoring and alerting on anomalous file-access attempts that reference paths outside the expected sessions directory.