Path traversal in OpenClaw - CVE-2026-28457
Published: May 4, 2026
Vulnerability identifier: #VU129446
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-28457
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote attacker to write files outside the sandbox workspace.
The vulnerability exists due to path traversal in the sandbox skill mirroring functionality when copying a skill into the sandbox workspace using a crafted skill name from SKILL.md frontmatter. A remote attacker can provide a crafted skill package to write files outside the sandbox workspace.
User interaction is required, and exploitation requires sandbox mode with skill mirroring into the sandbox workspace enabled.
How to mitigate CVE-2026-28457
Install security update from vendor's website.