CVE-2026-28459
Path Traversal in OpenClaw SessionFile Allows Denial of Service
Publication date: 2026-03-05
Last updated on: 2026-03-09
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.2.12 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenClaw versions prior to 2026.2.12, where the software fails to properly validate the sessionFile path parameter.
Because of this, authenticated gateway clients can specify a sessionFile path outside the intended sessions directory, allowing them to write transcript data to arbitrary locations on the host filesystem.
Attackers can create files or append data repeatedly in these arbitrary locations, which may lead to configuration corruption or denial of service.
How can this vulnerability impact me? :
The vulnerability allows authenticated users to write data to arbitrary locations on the host filesystem.
This can result in configuration corruption, which may disrupt normal operation of the system.
Additionally, repeated data writes could cause denial of service, potentially making the system unavailable or unstable.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know