CVE-2026-28482 – OpenClaw versions before 2026.2.12 have a path ... (How to Fix)

Q: What is the severity of CVE-2026-28482?

CVE-2026-28482 has a CVSS score of 7.1 (HIGH). OpenClaw versions before 2026.2.12 have a path traversal vulnerability where authenticated attackers can use unsanitized sessionId or sessionFile parameters to read or write arbitrary files outside intended directories. This affects all OpenClaw deployments using vulnerable versions. Attackers need valid authentication credentials to exploit this vulnerability.

📋 TL;DR

OpenClaw versions before 2026.2.12 have a path traversal vulnerability where authenticated attackers can use unsanitized sessionId or sessionFile parameters to read or write arbitrary files outside intended directories. This affects all OpenClaw deployments using vulnerable versions. Attackers need valid authentication credentials to exploit this vulnerability.

💻 Affected Systems

Products:

OpenClaw

Versions: All versions prior to 2026.2.12

Operating Systems: All platforms running OpenClaw

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. The vulnerability exists in transcript file path construction logic.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through reading sensitive files like /etc/passwd, /etc/shadow, or writing malicious files to critical system locations leading to remote code execution.

🟠

Likely Case

Unauthorized access to sensitive configuration files, session data, or application files, potentially leading to data theft or privilege escalation.

🟢

If Mitigated

Limited impact with proper file permissions and directory restrictions, potentially only allowing access to non-critical files within the application's context.

🌐 Internet-Facing: MEDIUM - Requires authentication but could be exploited if credentials are compromised or through other attack vectors.

🏢 Internal Only: MEDIUM - Internal attackers with valid credentials could exploit this to access sensitive files or escalate privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation is straightforward using path traversal sequences like ../../etc/passwd in session parameters. Requires authenticated access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2026.2.12

Vendor Advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-5xfq-5mr7-426q

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Stop OpenClaw service. 3. Update to version 2026.2.12 or later. 4. Restart OpenClaw service. 5. Verify the fix by checking version and testing path traversal attempts.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement input validation to reject sessionId and sessionFile parameters containing path traversal sequences

Configure application firewall or WAF to block requests containing '../' sequences in parameters

Directory Restriction

linux

Enforce strict directory permissions and use chroot/jail to limit file system access

chmod 750 /path/to/openclaw/sessions
chown root:openclaw /path/to/openclaw/sessions

🧯 If You Can't Patch

Implement strict input validation at the application layer to sanitize sessionId and sessionFile parameters
Deploy web application firewall (WAF) rules to block path traversal patterns in HTTP requests

🔍 How to Verify

Check if Vulnerable:

Check OpenClaw version: if version is earlier than 2026.2.12, the system is vulnerable. Test by attempting to access files outside session directory using path traversal in session parameters.

Check Version:

openclaw --version or check OpenClaw configuration/status files for version information

Verify Fix Applied:

After patching, verify version is 2026.2.12 or later. Test path traversal attempts should be blocked or sanitized. Check that files outside session directory cannot be accessed.

📡 Detection & Monitoring

Log Indicators:

HTTP requests with sessionId or sessionFile parameters containing '../' sequences
Failed file access attempts outside expected directories
Unusual file read/write patterns in session directories

Network Indicators:

HTTP requests with path traversal patterns in parameters
Unusual file access patterns from authenticated sessions

SIEM Query:

source="openclaw.log" AND (sessionId="*../*" OR sessionFile="*../*")

📊 Metadata

CVE ID: CVE-2026-28482

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-22

Published: March 5, 2026

Last Updated: March 6, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-28482, you might also want to check these: