CVE-2026-28462

HIGH 7.5

OpenClaw < 2026.2.13 - Path Traversal in Trace and Download Output Paths

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

OpenClaw versions prior to 2026.2.13 contain a vulnerability in the browser control API in which it accepts user-supplied output paths for trace and download files without consistently constraining writes to temporary directories. Attackers with API access can exploit path traversal in POST /trace/stop, POST /wait/download, and POST /download endpoints to write files outside intended temp roots.

CWE	CWE-22
Vendor	openclaw
Product	openclaw
Published	Mar 5, 2026
Last Updated	Mar 9, 2026

Stay Ahead of the Next One

Get instant alerts for openclaw openclaw

Be the first to know when new high vulnerabilities affecting openclaw openclaw are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

OpenClaw / OpenClaw

0 < 2026.2.13

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/openclaw/openclaw/security/advisories/GHSA-gq9c-wg68-gwj2 github.com: https://github.com/openclaw/openclaw/commit/7f0489e4731c8d965d78d6eac4a60312e46a9426 vulncheck.com: https://www.vulncheck.com/advisories/openclaw-path-traversal-in-trace-and-download-output-paths

Credits

🔍 Adnan Jakati (@jackhax)