← volver
CVE-2026-28482

OpenClaw < 2026.2.12 - Path Traversal via Unsanitized sessionId and sessionFile Parameters

CVSS 8.4 HIGHEPSS 0.1%CWE-22
Vexday Risk Score
21Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 8.4EPSS 0.1%KEV nãoPoC Nuclei Metasploit Patch referenciado
Ciclo de vida
05 mar 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
OpenClaw versions prior to 2026.2.12 construct transcript file paths using unsanitized sessionId parameters and sessionFile paths without enforcing directory containment. Authenticated attackers can exploit path traversal sequences like ../../etc/passwd in sessionId or sessionFile parameters to read or write arbitrary files outside the agent sessions directory.
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Productos afectados
OpenClaw · OpenClaw

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/openclaw/openclaw/commit/4199f9889f0c307b77096a229b9e085b8d856c26https://github.com/openclaw/openclaw/commit/cab0abf52ac91e12ea7a0cf04fff315cf0c94d64https://github.com/openclaw/openclaw/security/advisories/GHSA-5xfq-5mr7-426qhttps://www.vulncheck.com/advisories/openclaw-path-traversal-via-unsanitized-sessionid-and-sessionfile-parameters