Path traversal in OpenClaw - CVE-2026-28486
Published: May 4, 2026
Vulnerability identifier: #VU129448
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-28486
CWE-ID: CWE-22
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a local user to write arbitrary files outside the intended extraction directory.
The vulnerability exists due to path traversal in archive extraction during explicit installation commands when extracting a crafted archive from a local file or download URL. A local user can supply a specially crafted archive to write arbitrary files outside the intended extraction directory.
User interaction is required to run an installation command against an untrusted archive, and the issue is not triggered by receiving messages or normal gateway operation.
How to mitigate CVE-2026-28486
Install security update from vendor's website.