top of page
perceptive_background_267k.jpg

OpenClaw versions prior to 2026.2.13 contain a vulnerability in the browser control API in which it accepts user-supplied output paths for trace and download fi…

Published:

4 March 2026 at 23:00:00

Alert date:

5 March 2026 at 23:13:13

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies

OpenClaw versions prior to 2026.2.13 contain a path traversal vulnerability in the browser control API. The vulnerability allows attackers with API access to write files outside intended temporary directories by exploiting user-supplied output paths for trace and download files. Three endpoints are affected: POST /trace/stop, POST /wait/download, and POST /download. The vulnerability stems from insufficient validation of user-supplied paths, allowing directory traversal attacks. Attackers can potentially write malicious files to arbitrary locations on the system.

Technical details

Mitigation steps:

Affected products:

OpenClaw

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-28462
https://github.com/openclaw/openclaw/commit/7f0489e4731c8d965d78d6eac4a60312e46a9426
https://github.com/openclaw/openclaw/security/advisories/GHSA-gq9c-wg68-gwj2
https://www.vulncheck.com/advisories/openclaw-path-traversal-in-trace-and-download-output-paths

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page