CVE-2026-28462
📋 TL;DR
OpenClaw versions before 2026.2.13 contain a path traversal vulnerability in browser control API endpoints that handle trace and download files. Attackers with API access can write files outside intended temporary directories, potentially leading to arbitrary file writes. This affects all OpenClaw deployments using vulnerable versions.
💻 Affected Systems
- OpenClaw
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution via writing malicious files to system directories, complete system compromise, or data exfiltration.
Likely Case
Arbitrary file writes leading to data corruption, denial of service, or privilege escalation by overwriting critical files.
If Mitigated
Limited to temporary directory writes with proper API access controls and file system permissions.
🎯 Exploit Status
Exploitation requires API access but path traversal is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2026.2.13
Vendor Advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-gq9c-wg68-gwj2
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Update OpenClaw to version 2026.2.13 or later. 3. Restart OpenClaw service. 4. Verify fix using verification steps.
🔧 Temporary Workarounds
Restrict API Access
linuxLimit network access to OpenClaw API endpoints using firewall rules.
iptables -A INPUT -p tcp --dport [API_PORT] -s [TRUSTED_NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [API_PORT] -j DROP
Implement API Authentication
allAdd authentication layer to API endpoints if not already present.
🧯 If You Can't Patch
- Implement strict file system permissions on temporary directories to prevent writes outside designated areas.
- Deploy web application firewall (WAF) rules to detect and block path traversal patterns in API requests.
🔍 How to Verify
Check if Vulnerable:
Check OpenClaw version and compare against vulnerable range. Review API endpoint configurations for path validation.Check Version:
openclaw --versionVerify Fix Applied:
Test API endpoints with path traversal payloads after patching to ensure they are rejected. Verify version is 2026.2.13 or later.📡 Detection & Monitoring
Log Indicators:
- API requests containing '../' patterns in POST /trace/stop, POST /wait/download, or POST /download endpoints
- File write operations outside expected temporary directories
Network Indicators:
- Unusual POST requests to trace/download endpoints with path traversal sequences
SIEM Query:
source="openclaw.log" AND (uri_path="/trace/stop" OR uri_path="/wait/download" OR uri_path="/download") AND request_body MATCHES "\.\./"