Description

OpenClaw versions prior to 2026.2.13 contain a vulnerability in the browser control API in which it accepts user-supplied output paths for trace and download files without consistently constraining writes to temporary directories. Attackers with API access can exploit path traversal in POST /trace/stop, POST /wait/download, and POST /download endpoints to write files outside intended temp roots.

INFO

Published Date :

2026-03-05T21:59:38.752Z

Last Modified :

2026-03-05T22:28:01.531Z

Source :

VulnCheck
AFFECTED PRODUCTS

The following products are affected by CVE-2026-28462 vulnerability.

Vendors Products
Openclaw
  • Openclaw
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-28462.

URL Resource
https://github.com/openclaw/openclaw/commit/7f0489e4731c8d965d78d6eac4a60312e46a9426 cve-icon cve-icon
https://github.com/openclaw/openclaw/security/advisories/GHSA-gq9c-wg68-gwj2 cve-icon cve-icon
https://www.vulncheck.com/advisories/openclaw-path-traversal-in-trace-and-download-output-paths cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact