CVE-2026-26972
Received Received - Intake
Path Traversal in OpenClaw Browser Download Helper Allows Arbitrary File Write

Publication date: 2026-02-20

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
OpenClaw is a personal AI assistant. In versions 2026.1.12 through 2026.2.12, OpenClaw browser download helpers accepted an unsanitized output path. When invoked via the browser control gateway routes, this allowed path traversal to write downloads outside the intended OpenClaw temp downloads directory. This issue is not exposed via the AI agent tool schema (no `download` action). Exploitation requires authenticated CLI access or an authenticated gateway RPC token. Version 2026.2.13 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26972
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw From 2026.1.12 (inc) to 2026.2.13 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-26972 is a path traversal vulnerability in the OpenClaw personal AI assistant's browser download helpers. In affected versions (2026.1.12 through 2026.2.12), the browser download functionality accepted an unsanitized output path when invoked via browser control gateway routes. This flaw allowed an attacker with authenticated CLI access or an authenticated gateway RPC token to write downloaded files outside the intended temporary downloads directory by exploiting directory traversal."}, {'type': 'paragraph', 'content': 'The vulnerability arises because the code did not properly constrain or validate the file paths used for downloads, allowing escape from the designated temporary directories. The issue is not exposed through the AI agent tool schema, which lacks a download action.'}, {'type': 'paragraph', 'content': 'The fix, introduced in version 2026.2.13, enforces strict path resolution and validation to ensure all download and trace output paths remain confined within designated OpenClaw temporary directories, preventing unauthorized file system access or overwrites.'}] [1, 2]

Impact Analysis

If exploited, this vulnerability allows an attacker with high-level authenticated access (CLI or gateway RPC token) to perform path traversal attacks, enabling them to write files outside the intended temporary download directory.

This can lead to unauthorized modification or overwriting of files on the system, potentially compromising confidentiality, integrity, and availability of data and system resources.

Because the vulnerability requires high privileges and local access, the risk is moderate but significant in environments where such access is possible.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "Detection of this vulnerability involves identifying attempts to exploit path traversal in OpenClaw's browser download helpers by checking for unauthorized file writes outside the intended temporary download directories."}, {'type': 'paragraph', 'content': 'Since exploitation requires authenticated CLI access or an authenticated gateway RPC token, monitoring authenticated requests to the browser control gateway routes such as POST /wait/download and POST /download for unusual or unexpected output paths is critical.'}, {'type': 'paragraph', 'content': 'You can audit logs for HTTP 400 responses with error messages indicating path validation failures, which would suggest attempts to use traversal paths.'}, {'type': 'paragraph', 'content': 'Suggested commands or approaches include:'}, {'type': 'list_item', 'content': 'Review OpenClaw gateway logs for POST requests to /wait/download and /download endpoints with suspicious path parameters.'}, {'type': 'list_item', 'content': 'Use file system monitoring tools (e.g., inotifywait on Linux) to detect unexpected file writes outside the designated OpenClaw temp directories (/tmp/openclaw/downloads or equivalent).'}, {'type': 'list_item', 'content': 'Search for error messages related to path validation failures in OpenClaw logs, which indicate rejected traversal attempts.'}, {'type': 'list_item', 'content': 'If you have access to the OpenClaw CLI or gateway, attempt to invoke download commands with crafted paths to test if the system properly rejects traversal outside the allowed directories.'}] [1, 2]

Mitigation Strategies

The primary and immediate mitigation step is to upgrade OpenClaw to version 2026.2.13 or later, which includes the fix that enforces strict path resolution and validation to prevent path traversal.

Additional mitigation steps include:

  • Restrict authenticated CLI and gateway RPC token access to trusted users only, as exploitation requires authenticated access.
  • Monitor and block any requests attempting to specify output paths outside the designated temporary directories.
  • Apply strict file system permissions on OpenClaw temporary directories to limit unauthorized file writes.
  • Review and harden gateway and ACP permissions to prevent unauthorized tool invocations.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26972. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart