CVE-2026-28459 in OpenClaw
Summary
by MITRE • 03/06/2026
OpenClaw versions prior to 2026.2.12 fail to validate the sessionFile path parameter, allowing authenticated gateway clients to write transcript data to arbitrary locations on the host filesystem. Attackers can supply a sessionFile path outside the sessions directory to create files and append data repeatedly, potentially causing configuration corruption or denial of service.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/10/2026
The vulnerability identified as CVE-2026-28459 affects OpenClaw versions prior to 2026.2.12 and represents a critical path traversal flaw that undermines the application's security controls. This issue stems from inadequate input validation within the sessionFile parameter processing mechanism, which allows authenticated users to manipulate file paths beyond the intended sessions directory boundaries. The flaw specifically impacts the gateway client functionality where transcript data handling occurs, creating an avenue for unauthorized file system modifications that could compromise system integrity and availability.
The technical implementation of this vulnerability resides in the application's failure to properly sanitize or validate user-supplied sessionFile paths before executing file system operations. When authenticated gateway clients submit requests containing sessionFile parameters, the system does not adequately verify that these paths remain within the designated sessions directory structure. This validation gap enables attackers to specify absolute paths or paths with directory traversal sequences that bypass normal access controls. The vulnerability manifests as a path traversal condition that aligns with CWE-22, specifically categorized under improper limitation of a pathname to a restricted directory, commonly known as path traversal or directory traversal attacks.
From an operational perspective, this vulnerability presents significant risks to system stability and data integrity. Attackers can repeatedly append data to files located outside the intended session storage area, potentially corrupting critical system configuration files or creating malicious artifacts in sensitive directories. The ability to write to arbitrary filesystem locations creates opportunities for both configuration corruption and denial of service conditions, as attackers can target system-critical files or fill disk space with malicious content. The repeated append operations compound the impact, allowing for persistent modification of system state over time rather than a single point of exploitation.
The security implications extend beyond simple file system manipulation to encompass potential privilege escalation and system compromise scenarios. While the vulnerability requires authentication, the ability to write to arbitrary locations on the host filesystem provides attackers with persistent access patterns that could be leveraged for further exploitation. This flaw can be particularly dangerous when combined with other vulnerabilities or when the application runs with elevated privileges, as it could enable attackers to modify system binaries, configuration files, or log data. The attack vector aligns with ATT&CK technique T1078.004, which covers valid accounts with the specific context of credential access and privilege escalation through legitimate system access.
Mitigation strategies for CVE-2026-28459 should focus on implementing robust input validation and path sanitization mechanisms within the OpenClaw application. Organizations should immediately upgrade to version 2026.2.12 or later, which includes proper sessionFile parameter validation that restricts file operations to the designated sessions directory. Additionally, implementing strict path validation routines that normalize and verify all file paths before processing can prevent similar issues in other components. System administrators should also consider implementing file system monitoring and access control restrictions around critical directories to detect and prevent unauthorized file modifications. The vulnerability demonstrates the importance of principle of least privilege and proper input validation as fundamental security controls that should be implemented throughout application development lifecycle.