CVE-2026-28459

OpenClaw < 2026.2.12 - Arbitrary File Write via Untrusted sessionFile Path

CVSS 7.1 HIGHEPSS 0.4%CWE-73

Vexday Risk Score

21Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 7.1EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

05 mar 2026Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

OpenClaw versions prior to 2026.2.12 fail to validate the sessionFile path parameter, allowing authenticated gateway clients to write transcript data to arbitrary locations on the host filesystem. Attackers can supply a sessionFile path outside the sessions directory to create files and append data repeatedly, potentially causing configuration corruption or denial of service.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Produtos afetados

OpenClaw · OpenClaw

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/openclaw/openclaw/commit/25950bcbb8ba4d8cde002557f6e27c219ae4deda https://github.com/openclaw/openclaw/commit/4199f9889f0c307b77096a229b9e085b8d856c26 https://github.com/openclaw/openclaw/security/advisories/GHSA-64qx-vpxx-mvqf https://www.vulncheck.com/advisories/openclaw-arbitrary-file-write-via-untrusted-sessionfile-path