Path traversal in OpenClaw - CVE-2026-28453
Published: May 4, 2026
Vulnerability identifier: #VU129455
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-28453
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote attacker to write files outside the intended extraction directory.
The vulnerability exists due to path traversal in extractArchive() in src/infra/archive.ts when extracting TAR archives. A remote attacker can supply a specially crafted archive with traversal or absolute entry paths to write files outside the intended extraction directory.
User interaction is required to install an untrusted .tar or .tgz archive through plugin or hook installation flows.
How to mitigate CVE-2026-28453
Install security update from vendor's website.