Platform
nodejs
Component
openclaw
Fixed in
2026.2.13
CVE-2026-28462 describes a Path Traversal vulnerability discovered in OpenClaw. This flaw allows attackers with API access to write files to arbitrary locations on the system, potentially leading to code execution or data exfiltration. The vulnerability affects versions 0 through 2026.2.13 of OpenClaw and has been resolved in version 2026.2.13.
The core of this vulnerability lies in the OpenClaw browser control API's handling of user-supplied output paths for trace and download files. The API fails to adequately restrict writes to designated temporary directories. An attacker who can leverage the API (e.g., through a compromised application or user account) can craft malicious requests to POST /trace/stop, POST /wait/download, and POST /download endpoints. These requests, if successful, allow the attacker to write files outside the intended temporary root, potentially overwriting critical system files or injecting malicious code. The potential impact includes complete system compromise, data theft, and denial of service.
CVE-2026-28462 was publicly disclosed on March 5, 2026. Currently, there are no known public proof-of-concept exploits. The vulnerability is not listed on the CISA KEV catalog at the time of this writing. The probability of exploitation is considered medium, given the relatively straightforward nature of path traversal vulnerabilities and the potential for API access to be compromised.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-28462 is to upgrade OpenClaw to version 2026.2.13 or later. If an immediate upgrade is not feasible due to compatibility concerns or system downtime requirements, consider implementing temporary workarounds. These may include restricting API access to trusted users and processes, implementing stricter input validation on the /trace/stop, /wait/download, and /download endpoints to sanitize file paths, and monitoring file system activity for unauthorized writes. After upgrading, verify the fix by attempting to write files outside the intended temporary directory via the API and confirming that the operation is denied.
Update OpenClaw to version 2026.2.13 or later. This version fixes the path traversal vulnerability by correctly restricting writes to temporary directories. The update mitigates the risk of attackers with API access writing files outside the intended temporary paths.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28462 is a Path Traversal vulnerability affecting OpenClaw versions 0–2026.2.13, allowing attackers to write files outside intended directories via API access.
If you are running OpenClaw versions 0 through 2026.2.13 and expose the browser control API, you are potentially affected by this vulnerability.
Upgrade OpenClaw to version 2026.2.13 or later. If immediate upgrade is not possible, implement temporary workarounds like restricting API access and input validation.
As of the current assessment, there are no confirmed reports of active exploitation, but the vulnerability's nature suggests a potential for exploitation.
Refer to the official OpenClaw security advisory for detailed information and updates regarding CVE-2026-28462.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.