CVE-2026-28462
Received Received - Intake
Path Traversal in OpenClaw Browser API Allows Arbitrary File Writes

Publication date: 2026-03-05

Last updated on: 2026-03-09

Assigner: VulnCheck

Description
OpenClaw versions prior to 2026.2.13 contain a vulnerability in the browser control API in which it accepts user-supplied output paths for trace and download files without consistently constraining writes to temporary directories. Attackers with API access can exploit path traversal in POST /trace/stop, POST /wait/download, and POST /download endpoints to write files outside intended temp roots.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-09
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28462
EUVD
EUVD-2026-9908
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.2.13 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

OpenClaw versions prior to 2026.2.13 have a vulnerability in their browser control API. This vulnerability occurs because the API accepts user-supplied output paths for trace and download files without properly restricting these writes to temporary directories.

Attackers who have access to the API can exploit this by using path traversal techniques in specific endpoints (POST /trace/stop, POST /wait/download, and POST /download) to write files outside of the intended temporary directories.

Impact Analysis

This vulnerability allows attackers to write files to arbitrary locations on the system outside of the intended temporary directories.

Such unauthorized file writes can lead to potential security risks such as overwriting critical files, placing malicious files, or otherwise compromising the integrity of the system.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28462. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart