ГлавнаяУязвимости → CVE-2026-28482
7.1высокая

CVE-2026-28482

Описание

OpenClaw versions prior to 2026.2.12 construct transcript file paths using unsanitized sessionId parameters and sessionFile paths without enforcing directory containment. Authenticated attackers can exploit path traversal sequences like ../../etc/passwd in sessionId or sessionFile parameters to read or write arbitrary files outside the agent sessions directory.

Затрагиваемое ПО
Openclaw Openclaw
CVSS
Балл7.1 — высокая
ВекторCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Источники
https://github.com/openclaw/openclaw/commit/4199f9889f0c307b77096a229b9e085b8d856c26https://github.com/openclaw/openclaw/commit/cab0abf52ac91e12ea7a0cf04fff315cf0c94d64https://github.com/openclaw/openclaw/security/advisories/GHSA-5xfq-5mr7-426qhttps://www.vulncheck.com/advisories/openclaw-path-traversal-via-unsanitized-sessionid-and-sessionfile-parameters