CVE-2026-28457

MEDIUM 6.1

OpenClaw < 2026.2.14 - Path Traversal in Sandbox Skill Mirroring via Name Parameter

CVSS Score

6.1

EPSS Score

0.0%

EPSS Percentile

0th

OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in sandbox skill mirroring (must be enabled) that uses the skill frontmatter name parameter unsanitized when copying skills into the sandbox workspace. Attackers who provide a crafted skill package with traversal sequences like ../ or absolute paths in the name field can write files outside the sandbox workspace root directory.

CWE	CWE-22
Vendor	openclaw
Product	openclaw
Published	Mar 5, 2026
Last Updated	Mar 9, 2026

Stay Ahead of the Next One

Get instant alerts for openclaw openclaw

Be the first to know when new medium vulnerabilities affecting openclaw openclaw are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

Low

Affected Versions

OpenClaw / OpenClaw

0 < 2026.2.14

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/openclaw/openclaw/security/advisories/GHSA-xw4p-pw82-hqr7 github.com: https://github.com/openclaw/openclaw/commit/3eb6a31b6fcf8268456988bfa8e3637d373438c2 vulncheck.com: https://www.vulncheck.com/advisories/openclaw-path-traversal-in-sandbox-skill-mirroring-via-name-parameter

Credits

🔍 Oleh Konko (@1seal)