CVE-2026-28482

HighPublic PoC

Published: 05 March 2026

Published

05 March 2026

Modified

23 March 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0004 11.0th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28482 is a high-severity Path Traversal (CWE-22) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique /etc/passwd and /etc/shadow (T1003.008); ranked at the 11.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to /etc/passwd and /etc/shadow (T1003.008) and 3 other techniques.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-10 Information Input Validation

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

MITRE ATT&CK Enterprise TechniquesAI

T1003.008 /etc/passwd and /etc/shadow Credential Access

Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1552.001 Credentials In Files Credential Access

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

attack.mitre.org →

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

Path traversal enables direct arbitrary file read (e.g. /etc/passwd/shadow) for credential dumping and local data collection plus arbitrary file write for stored data manipulation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

OpenClaw versions prior to 2026.2.12 construct transcript file paths using unsanitized sessionId parameters and sessionFile paths without enforcing directory containment. Authenticated attackers can exploit path traversal sequences like ../../etc/passwd in sessionId or sessionFile parameters to read or write arbitrary files…

outside the agent sessions directory.

Deeper analysisAI

CVE-2026-28482 is a path traversal vulnerability (CWE-22) in OpenClaw versions prior to 2026.2.12. The flaw occurs because the software constructs transcript file paths using unsanitized sessionId parameters and sessionFile paths without enforcing directory containment, enabling exploitation via path traversal sequences.

Authenticated attackers with low privileges can exploit this vulnerability locally with low complexity and no user interaction required. By injecting sequences like ../../etc/passwd into sessionId or sessionFile parameters, they can read or write arbitrary files outside the agent sessions directory, achieving high confidentiality and integrity impacts as reflected in the CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

Mitigation is addressed in OpenClaw patches via GitHub commits 4199f9889f0c307b77096a229b9e085b8d856c26 and cab0abf52ac91e12ea7a0cf04fff315cf0c94d64, detailed in the project's security advisory GHSA-5xfq-5mr7-426q. Affected users should upgrade to version 2026.2.12 or later, with further analysis available in the VulnCheck advisory.

Details

CWE(s): CWE-22

Affected Products

openclaw

≤ 2026.2.12

CVEs Like This One

CVE-2026-35668Same product: Openclaw Openclaw

CVE-2026-28457Same product: Openclaw Openclaw

CVE-2026-32030Same product: Openclaw Openclaw

CVE-2026-33581Same product: Openclaw Openclaw

CVE-2026-28462Same product: Openclaw Openclaw

CVE-2026-32026Same product: Openclaw Openclaw

CVE-2026-32846Same product: Openclaw Openclaw

CVE-2026-32033Same product: Openclaw Openclaw

CVE-2026-41383Same product: Openclaw Openclaw

CVE-2026-22171Same product: Openclaw Openclaw

References

https://github.com/openclaw/openclaw/commit/4199f9889f0c307b77096a229b9e085b8d856c26
Patch · disclosure@vulncheck.com
https://github.com/openclaw/openclaw/commit/cab0abf52ac91e12ea7a0cf04fff315cf0c94d64
Patch · disclosure@vulncheck.com
https://github.com/openclaw/openclaw/security/advisories/GHSA-5xfq-5mr7-426q
Vendor Advisory · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/openclaw-path-traversal-via-unsanitized-sessionid-and-sessionfile-parameters
Third Party Advisory · disclosure@vulncheck.com