GHSA-5xfq-5mr7-426q
Suggest an improvement- Source
- https://github.com/advisories/GHSA-5xfq-5mr7-426q
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-5xfq-5mr7-426q/GHSA-5xfq-5mr7-426q.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-5xfq-5mr7-426q
- Aliases
- Published
- 2026-02-18T00:57:30Z
- Modified
- 2026-03-06T01:17:29.328225Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- 8.4 (High) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- OpenClaw's unsanitized session ID enables path traversal in transcript file operations
- Details
-
Description
OpenClaw versions <= 2026.2.9 construct transcript file paths using an unsanitized
sessionIdand also acceptsessionFilepaths without enforcing that they stay within the agent sessions directory.A crafted
sessionIdand/orsessionFile(example:../../etc/passwd) can cause path traversal when the gateway performs transcript file read/write operations.Preconditions: an attacker must be able to authenticate to the gateway (gateway token/password). By default the gateway binds to
loopback(local-only); configurations that expose the gateway widen the attack surface.Affected Packages / Versions
- Package:
openclaw(npm) - Affected:
<= 2026.2.9 - Fixed:
>= 2026.2.12
Fix
Fixed by validating session IDs (rejecting path separators / traversal sequences) and enforcing sessions-directory containment for session transcript file operations.
Fix Commit(s)
4199f9889f0c307b77096a229b9e085b8d856c26
Additional Hardening
cab0abf52ac91e12ea7a0cf04fff315cf0c94d64
Mitigation
Upgrade to
openclaw >= 2026.2.12.Thanks @akhmittra for reporting.
- Package:
- Database specific
{ "severity": "HIGH", "cwe_ids": [ "CWE-22" ], "github_reviewed": true, "github_reviewed_at": "2026-02-18T00:57:30Z", "nvd_published_at": "2026-03-05T22:16:23Z" }- References
-
- https://github.com/openclaw/openclaw/security/advisories/GHSA-5xfq-5mr7-426q
- https://nvd.nist.gov/vuln/detail/CVE-2026-28482
- https://github.com/openclaw/openclaw/commit/4199f9889f0c307b77096a229b9e085b8d856c26
- https://github.com/openclaw/openclaw/commit/cab0abf52ac91e12ea7a0cf04fff315cf0c94d64
- https://github.com/openclaw/openclaw
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.12
- https://www.vulncheck.com/advisories/openclaw-path-traversal-via-unsanitized-sessionid-and-sessionfile-parameters
Affected packages
npm / openclaw
Package
- Name
- openclaw
- View open source insights on deps.dev
- Purl
- pkg:npm/openclaw