Plattform
nodejs
Komponente
openclaw
Behoben in
2026.2.1
2026.2.1
CVE-2026-28447 describes a Path Traversal vulnerability within the OpenClaw npm package. This flaw allows a malicious plugin, through manipulation of its package.json name field, to write files outside the designated extensions directory. The vulnerability affects versions 2026.1.20 and higher, but not those 2026.2.1 and later. A fix has been released in version 2026.2.1.
An attacker could exploit this vulnerability by crafting a malicious plugin with a specially designed package.json name. This crafted name would trick OpenClaw's plugin installer into writing files to arbitrary locations on the system, potentially overwriting critical files or injecting malicious code. The impact could range from denial of service (DoS) if important files are corrupted to complete system compromise if the attacker gains the ability to execute arbitrary code. The ability to write to arbitrary locations represents a significant security risk, particularly in environments where OpenClaw plugins are automatically installed or updated without sufficient security checks.
As of the public disclosure date (2026-02-17), there is no indication of active exploitation of CVE-2026-28447. No public proof-of-concept (PoC) code has been released. The EPSS score is currently unavailable, so the probability of exploitation is difficult to assess. This vulnerability is not listed on the CISA KEV catalog.
Developers and organizations using OpenClaw for plugin-based extensions are at risk. This includes those who automatically install plugins from untrusted sources or lack robust input validation on plugin names. Shared hosting environments where multiple users can install plugins are particularly vulnerable, as a malicious plugin installed by one user could potentially impact other users on the same server.
• nodejs / supply-chain:
npm list openclawCheck the installed version against the affected range (>= 2026.1.20, < 2026.2.1). • nodejs / supply-chain:
find node_modules -name 'package.json' -print0 | xargs -0 grep -i 'name: @ma' Search for plugins with suspicious names containing '@ma' or similar patterns. • generic web: Inspect plugin installation directories for unexpected files or modifications.
disclosure
patch
Exploit-Status
EPSS
0.03% (8% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-28447 is to upgrade the OpenClaw npm package to version 2026.2.1 or later. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing stricter input validation on plugin names before installation. While not a complete solution, a Web Application Firewall (WAF) or proxy could be configured to block requests containing suspicious characters or patterns in plugin names. Regularly audit installed plugins and their dependencies to identify any potentially malicious code. After upgrading, confirm the fix by attempting to install a plugin with a crafted name designed to trigger the path traversal vulnerability; the installation should fail with an appropriate error message.
Actualice OpenClaw a la versión 2026.2.1 o posterior. Esta versión corrige la vulnerabilidad de path traversal en la instalación de plugins. La actualización evitará que atacantes escriban archivos fuera del directorio de extensiones previsto.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-28447 is a Path Traversal vulnerability in the OpenClaw npm package, allowing malicious plugin names to write files outside the intended installation directory.
You are affected if you are using OpenClaw versions 2026.1.20 and higher, but before 2026.2.1.
Upgrade the OpenClaw npm package to version 2026.2.1 or later. Consider input validation on plugin names as an interim measure.
As of the public disclosure date, there is no evidence of active exploitation or publicly available proof-of-concept code.
Refer to the npm advisory and OpenClaw's project repository for the latest information and updates regarding CVE-2026-28447.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.