CVE-2026-28459
📋 TL;DR
OpenClaw versions before 2026.2.12 have an arbitrary file write vulnerability where authenticated gateway clients can manipulate the sessionFile path parameter to write transcript data to arbitrary locations on the host filesystem. This allows attackers to create or append files outside intended directories, potentially leading to configuration corruption or denial of service. Only authenticated users can exploit this vulnerability.
💻 Affected Systems
- OpenClaw
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could overwrite critical system files, corrupt configurations, or fill disk space causing denial of service, potentially leading to system compromise or data loss.
Likely Case
Attackers create or append files to arbitrary locations, potentially corrupting application configurations or causing service disruption through disk space exhaustion.
If Mitigated
With proper file permissions and monitoring, impact is limited to application-level configuration issues that can be restored from backups.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2026.2.12
Vendor Advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-64qx-vpxx-mvqf
Restart Required: Yes
Instructions:
1. Download OpenClaw version 2026.2.12 or later from official sources. 2. Stop the OpenClaw service. 3. Backup configuration files. 4. Install the updated version. 5. Restart the OpenClaw service.
🔧 Temporary Workarounds
Restrict file system permissions
linuxLimit OpenClaw process permissions to only necessary directories
chmod 750 /var/lib/openclaw/sessions
chown openclaw:openclaw /var/lib/openclaw/sessions
Implement input validation at proxy
allAdd WAF or reverse proxy rules to block malicious sessionFile parameters
🧯 If You Can't Patch
- Implement strict file system permissions for OpenClaw directories
- Monitor for unusual file creation patterns in system directories
🔍 How to Verify
Check if Vulnerable:
Check OpenClaw version: if version is less than 2026.2.12, system is vulnerable.Check Version:
openclaw --versionVerify Fix Applied:
Verify OpenClaw version is 2026.2.12 or higher and test that sessionFile parameter cannot write outside sessions directory.📡 Detection & Monitoring
Log Indicators:
- Unusual file creation events in system logs
- OpenClaw logs showing sessionFile paths outside /var/lib/openclaw/sessions
Network Indicators:
- HTTP requests with manipulated sessionFile parameters containing path traversal sequences
SIEM Query:
source="openclaw.log" AND (sessionFile CONTAINS ".." OR sessionFile NOT STARTSWITH "/var/lib/openclaw/sessions")🔗 References
- https://github.com/openclaw/openclaw/commit/25950bcbb8ba4d8cde002557f6e27c219ae4deda
- https://github.com/openclaw/openclaw/commit/4199f9889f0c307b77096a229b9e085b8d856c26
- https://github.com/openclaw/openclaw/security/advisories/GHSA-64qx-vpxx-mvqf
- https://www.vulncheck.com/advisories/openclaw-arbitrary-file-write-via-untrusted-sessionfile-path
