Plattform
nodejs
Komponente
openclaw
Behoben in
2026.2.13
CVE-2026-28462 describes a Path Traversal vulnerability discovered in OpenClaw, a retro-computing emulator. This flaw allows attackers with API access to write files to arbitrary locations on the system, potentially leading to code execution or data compromise. The vulnerability impacts versions 0 through 2026.2.13, and a patch has been released in version 2026.2.13.
The core of this vulnerability lies in the OpenClaw browser control API, specifically how it handles output paths for trace and download files. The API accepts user-supplied paths without sufficient validation, allowing an attacker to craft malicious requests to POST /trace/stop, POST /wait/download, and POST /download endpoints. By manipulating these paths, an attacker can bypass intended temporary directory restrictions and write files to sensitive locations, such as system directories or user home directories. Successful exploitation could lead to arbitrary code execution, data theft, or denial of service, depending on the attacker's goals and the permissions of the OpenClaw process.
CVE-2026-28462 was publicly disclosed on March 5, 2026. There is no indication of active exploitation at this time, and it is not currently listed on the CISA KEV catalog. Public proof-of-concept code is not yet available, but the vulnerability's nature suggests it could be relatively easy to exploit once a PoC is developed.
Systems running OpenClaw versions 0 through 2026.2.13 are at risk, particularly those where the browser control API is exposed to untrusted users or applications. Shared hosting environments where multiple users share the same OpenClaw instance are also at elevated risk.
• other / general: Monitor file system activity for unexpected file creations or modifications in sensitive directories. Review access logs for suspicious requests targeting /trace/stop, /wait/download, and /download endpoints with unusual file paths.
• generic web: Use curl or wget to test endpoint exposure and attempt to write files to arbitrary locations. Example:
curl -X POST -d "output=/etc/passwd" http://<openclaw_server>/trace/stopdisclosure
Exploit-Status
EPSS
0.06% (19% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-28462 is to immediately upgrade OpenClaw to version 2026.2.13 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing stricter file access controls on the OpenClaw installation directory to limit the potential impact of a successful attack. While a WAF or proxy cannot directly prevent path traversal, it can be configured to block requests containing suspicious path patterns (e.g., sequences of '..'). Regularly review and audit API access controls to ensure only authorized users have access to the browser control API.
Actualice OpenClaw a la versión 2026.2.13 o posterior. Esta versión corrige la vulnerabilidad de path traversal al restringir correctamente las escrituras a directorios temporales. La actualización mitiga el riesgo de que atacantes con acceso a la API escriban archivos fuera de las rutas temporales previstas.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-28462 is a Path Traversal vulnerability affecting OpenClaw versions 0–2026.2.13, allowing attackers to write files outside intended directories via API access.
If you are running OpenClaw versions 0 through 2026.2.13 and expose the browser control API, you are potentially affected by this vulnerability.
Upgrade OpenClaw to version 2026.2.13 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting API access and input validation.
As of the current assessment, there are no confirmed reports of active exploitation, but the vulnerability's nature suggests a potential for exploitation.
Refer to the official OpenClaw security advisory for detailed information and updates regarding CVE-2026-28462.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.