CVE-2026-28459 HIGH

CVE-2026-28459: OpenClaw < 2026.2.12 - Arbitrary File Write via Untrusted sessionFile Path

Vendor Openclaw
Product OpenClaw
Weakness CWE-73
Published March 5, 2026
Last update March 9, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenClaw versions prior to 2026.2.12 fail to validate the sessionFile path parameter, allowing authenticated gateway clients to write transcript data to arbitrary locations on the host filesystem. Attackers can supply a sessionFile path outside the sessions directory to create files and append data repeatedly, potentially causing configuration corruption or denial of service.

Key dates

02Disclosure timeline

March 5, 2026 CVE published
March 9, 2026 Record updated