High severityNVD Advisory· Published Mar 5, 2026· Updated Mar 9, 2026
OpenClaw < 2026.2.12 - Path Traversal via Unsanitized sessionId and sessionFile Parameters
CVE-2026-28482
Description
OpenClaw versions prior to 2026.2.12 construct transcript file paths using unsanitized sessionId parameters and sessionFile paths without enforcing directory containment. Authenticated attackers can exploit path traversal sequences like ../../etc/passwd in sessionId or sessionFile parameters to read or write arbitrary files outside the agent sessions directory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
openclawnpm | < 2026.2.12 | 2026.2.12 |
Affected products
2Patches
Vulnerability mechanics
References
7- github.com/openclaw/openclaw/commit/4199f9889f0c307b77096a229b9e085b8d856c26ghsapatchWEB
- github.com/openclaw/openclaw/commit/cab0abf52ac91e12ea7a0cf04fff315cf0c94d64ghsapatchWEB
- github.com/advisories/GHSA-5xfq-5mr7-426qghsaADVISORY
- github.com/openclaw/openclaw/security/advisories/GHSA-5xfq-5mr7-426qghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-28482ghsaADVISORY
- www.vulncheck.com/advisories/openclaw-path-traversal-via-unsanitized-sessionid-and-sessionfile-parametersghsathird-party-advisoryWEB
- github.com/openclaw/openclaw/releases/tag/v2026.2.12ghsaWEB
News mentions
0No linked articles in our index yet.