CVE-2026-26972 in OpenClaw
Summary
by MITRE • 02/20/2026
OpenClaw is a personal AI assistant. In versions 2026.1.12 through 2026.2.12, OpenClaw browser download helpers accepted an unsanitized output path. When invoked via the browser control gateway routes, this allowed path traversal to write downloads outside the intended OpenClaw temp downloads directory. This issue is not exposed via the AI agent tool schema (no `download` action). Exploitation requires authenticated CLI access or an authenticated gateway RPC token. Version 2026.2.13 fixes the issue.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/24/2026
The vulnerability identified as CVE-2026-26972 affects OpenClaw, a personal AI assistant platform, specifically within versions ranging from 2026.1.12 through 2026.2.12. This security flaw resides in the browser download helper functionality that processes file downloads through browser control gateway routes. The core technical issue stems from inadequate input sanitization of output paths, creating a path traversal vulnerability that allows malicious actors to write downloaded files outside the designated temporary downloads directory. The vulnerability demonstrates a clear failure in proper path validation and access control mechanisms, representing a classic example of improper input validation that aligns with CWE-22 Path Traversal vulnerability classifications.
The operational impact of this vulnerability extends beyond simple file system manipulation, as it creates potential for unauthorized file system access and modification capabilities. Attackers exploiting this flaw could potentially write malicious files to critical system locations, execute arbitrary code, or disrupt normal application operations. The vulnerability requires authenticated access through either command-line interface credentials or an authenticated gateway RPC token, which means it cannot be exploited anonymously but represents a significant privilege escalation risk for authenticated users. The restriction that this issue is not exposed via the AI agent tool schema provides some mitigation, as it limits the attack surface to specific gateway routes rather than broad AI agent functionality.
Security researchers should note that this vulnerability aligns with ATT&CK technique T1059.001 Command and Scripting Interpreter and T1566.001 Phishing: Spearphishing Attachment, as it could potentially enable attackers to establish persistence or escalate privileges through file system modifications. The fix implemented in version 2026.2.13 demonstrates proper remediation through input sanitization and path validation, which should prevent unauthorized path traversal attempts. Organizations should immediately upgrade to version 2026.2.13 or later to mitigate this risk, while also implementing monitoring for unauthorized file system modifications in download directories. The vulnerability serves as a reminder of the critical importance of proper input validation and access control mechanisms in web applications, particularly in AI assistant platforms where user interactions may provide privileged access paths.